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ABSTRACT 


Computer Forensics involves the preservation, identification, extraction and 
documentation of computer evidence stored in the form of magnetically encoded 
information. With the proliferation of E-commerce initiatives and the increasing criminal 
activities on the web, this area of study is catching on in the IT industry and among the 


law enforcement agencies. 


The objective of the study is to explore the techniques of computer forensics from 
the computer security perspective. Specifically, the thesis looks into the application of 
forensic principles and techniques, security designs of computer hardware and software, 
and network protocols, in an effort to discover the trails of the computer hackers. The 
thesis subsequently packages this knowledge into a curriculum for a twelve weeks 


resident course at the Naval Postgraduate School. 


Complementing the course materials are surveys conducted on agencies and 
vendors currently providing computer forensic courses and training, reading materials, 
and software tools applicable to computer forensic investigation. The purpose of these 
surveys is to provide a depository of useful information related to this specialized 


discipline of computer security. 


It is the hope of the study that students in the future will benefit from the 
knowledge gathered in this thesis and the exposure gained from the course and laboratory 
exercises will allow them to correctly respond to computer intrusions and unauthorized 


activities they may encounter on their C4I systems. 
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DESCRIPTION OF THE THESIS 


A. INTRODUCTION 


The objective of the study is to explore the techniques of computer forensics from 
the computer security perspective and package this knowledge into a curriculum for a 
twelve week resident course at the Naval Postgraduate School (NPS). Specifically, the 
thesis has looked into the application of forensic principles and techniques, security 
designs of computer hardware and software, and network protocols, in an effort to 


discover the trails of the computer hackers. 


This course is intended to provide students with an understanding of the 
fundamentals of computer forensics. Students will examine how information is stored in 
computer systems and how it may be deliberately hidden and subverted. The course will 
establish a sound theoretical foundation on the methods used in extracting information for 
evidential purposes before going on to emphasis practical forensic examination and 
analysis. It will also cover the techniques of computer evidence recovery and the 


successful presentation of such evidence before the court. 


Complementing the course materials are surveys conducted on agencies and 
vendors currently providing computer forensic courses and training, reading materials, 


and software tools applicable to computer forensic investigation. 


While it is not the purpose of this course to train students to become computer 
forensic experts within such a brief period of instruction, it is hoped that it can provide 
basic computer forensic knowledge to the Computer Science and _ Information 
Technology graduates. If more students from NPS become experienced in the 
fundamentals of computer forensics, then more Military Commands will be able to 
benefit from the capability of these graduates to correctly respond to computer intrusions 


and unauthorized activities on their C4I systems. 


B. COMPUTER SECURITY EDUCATION IN NPS 


Educating students in the techniques of computer and network security demands 
an institution that is properly equipped with the necessary resources in order to stay 
current with both information system technology and advances in computer security 
threat, tools, techniques, solutions and risk containment. Students aspiring to become 
Information Security (INFOSEC) professionals must receive the relevant education and 
good training foundations to work effectively in a variety of INFOSEC situations. Since 
the underlying technologies are changing so rapidly, yesterday’s most significant 
problem and solution may be of no relevance tomorrow. As such, they need to be 
educated broadly enough to allow them to move rapidly to new problem areas and new 


technologies. 


During the “Goals for Computer Security Education” forum at NPS, Jim 
Schindler, a participant from HP, mentioned that technology is changing, computer 
paradigms are changing, and security requirements are changing. He considered security 
education a must for a much larger community than security professionals. [6] The 
explosive growth of information systems has resulted in rapidly changing technologies 
and challenges in computer security. Continued curriculum development is necessary to 
ensure a timely, coherent and comprehensive program in INFOSEC foundations and 


technology. 


NPS has fostered an academic environment to examine the INFOSEC 
requirements of the Department of Defense (DoD) and address the challenges presented 
by those requirements. It has developed a strong curriculum for computer and network 
security courses and continues to conduct leading-edge research in problems related to 
information assurance. These initiatives not only increase an appreciation of the 
foundations of computer security, but also heighten an understanding of the need to 
consider security throughout the entire process of system design and development. 
Through the Center for Information Assurance and INFOSEC Studies and Research 
(CISR), NPS has been producing a talent pool of computer security savvy graduates to 
apply to the variety of INFOSEC challenges in the DoD. [7] 


C. WHY A COMPUTER FORENSIC COURSE IN NPS 


Computer and network security is not a discipline for the isolationist. Computer 
security education needs to produce individuals who have a broad understanding of the 
scope of the discipline as well as considerable knowledge and expertise in specific areas. 
[8] Computer forensics, the application of established forensic methodology in the 
examination of computer crime, is one of these specific areas that have gained increasing 
emphasis in large corporations and especially in the defense organizations. No longer are 
organizations content with relying solely on national Computer Emergency and Response 
Teams (CERT) or law enforcement agencies to perform investigation on suspected 
compromise in their computer systems. More and more of them are gearing up to arm 
themselves with in-house computer forensic skills to meet the increasing likelihood of 
threats to their “corporate lifelines’. Many organizations’ business functions will come to 
a halt if their network computer system collapses. No longer are they willing to rely 
solely on the advice of the CERT organizations or law enforcement agencies who are 
likely to shut off their entire system even if the suspected security compromise is only 
reported in a localized sector of the network. 


This developing trend is a result of numerous motivations. Given the volatile 
nature of digital information in the computer and magnetic media, digital evidence in the 
system can be potentially destroyed when one responds to a suspected intrusion, whether 
by “doing something or doing nothing’. As most computer security professionals will 
advocate, having an incident response plan is not just fashionable. From the instance an 
intrusion is detected, every additional action taken, whether trivial or not, can bring 
considerable consequence to the success of an investigation effort. Even having a 
thoroughly tested incident response plan is not fool-proofed. Responding to reported 
computer security incidents require constant evaluation of the effects observed so far, 
before taking the next step. However, if one is armed with basic knowledge in computer 
forensics, then one is more likely to be able to accurately anticipate the consequential 
effects. The likelihood of success that each action taken to contain the damage to the 
system and towards the investigation effort can also be dramatically improved. Arming 
computer security professionals within the organization with basic computer forensic 


skills can enable the organization to react correctly in the first few moments of a reported 
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computer security incident by facilitating the preservation of digital evidence for the 


subsequent investigation when the “big boys” or experts takeover the case. 


Due to increasingly confusing business client privacy legislation and the liability 
that an organization faces if its computer system has been used as a tool to attack another 
computer system, many organizations are finding it more attractive to conduct their own 
computer security incident investigations than report them to the authorities, unless they 
have already developed into an advanced stage that can no longer be hidden from the 
general public’s notice. Whenever feasible, organizations will prefer not to alarm their 
clients or risk their reputation by announcing or admitting the existence of a computer 
security incident. Not only will this blemish an organization’s standing in the industry 
and market competitiveness, it may also bring on the unwelcomed involvement of law 
enforcement agencies and media attention. Once an investigation has escalated to the 
point of law enforcement agency involvement, the confidentiality of the organization’s 
sensitive information on its clients, market strategy, competitive advantage initiatives and 
“dirty laundry” comes under the mercy of the external investigators. Thus, harnessing 
basic computer forensic skills in-house will enable organizations to conduct their own 
investigations and keep the incident within its own perimeter, especially for minor 


incidents that can be conveniently “swept under the carpet’’. 


If an organization is an agency in a defense department, the argument for in-house 
computer forensic expertise is even greater. In this case, an alarm may not just cause a 
loss of public confidence, but also public panic, because DoD’s information is so 
pertinent to national security interests. Thus, it is not surprising that ministries, military 
establishments, and the state and defense departments all have their own computer 
forensic expertise in varying degrees. Since technology is the most effective force 
multiplier in modern combat, most defense and military organizations have invested 
heavily on C4I in their force structure. As such, computer technology, information 
protection and networking have become indispensable in the military infrastructure with 
military systems becoming increasingly dependent upon the national information 
infrastructure for critical services. A key aspect of achieving and maintaining information 
superiority is the protection of critical national information assets. In fact, “cyberwar’— 


creating havoc in the national information infrastructure of an adversary—has been 
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identified by many armed forces as one of the important strategic options. Many defense 
organizations have placed considerable emphasis on safeguarding their C4I systems and 
mastering techniques to deny the enemy effective use of their C4I system. The detection 
of an initial computer attack could be an early warning sign of an impending military 
attack because, as is common in many military options, the first strike leading to the 
escalation to a full-blown war is generally an operative that will bring an asymmetric 
effect to the enemy and least risk of casualties to their own force. However, it is 
important for the military to be able to promptly distinguish between attacks carried out 
by “script kiddies” from the orchestrated attacks sponsored by state players. To this 
effect, defense organizations have, in tandem to their civilian law _ enforcement 
counterparts, developed advanced technologies in the discipline of computer forensics. 
Unfortunately, the opportunities for computer forensic training in defense organizations 
have been limited generally to individuals and agencies that are highly specialized in the 
area. Even though increasing numbers of subordinate Commands are developing and 
operating their own computer systems, most do not have any computer forensic 
considerations beyond their standard incident response plans. Thus, as with business 
corporations, it is becoming increasingly attractive for individual Military Commands to 


possess a sufficiently high level of computer forensics capabilities. 


To date, only the Royal Military College of Science (RMCS), United Kingdom, 
has a program leading to a Postgraduate Diploma or Master of Science in Forensic 
Computing. Thus it is imperative that NPS consider developing such a curriculum when 
the resources become available. As a start, it can provide basic computer forensic 
knowledge to the Computer Science and Information Technology graduates. If more 
students from NPS become experienced in the fundamentals of computer forensics, then 
more Military Commands will be able to correctly respond to detected computer 
intrusions and unauthorized activities on their C4I systems. It is this motivation that has 
lead to the formulation of computer forensic material for a potential Computer Forensic 


Course at NPS. 


D. WHAT IS COMPUTER FORENSICS 


Computer forensics involves the preservation, identification, extraction, analysis, 
documentation and presentation of computer evidence. This computer evidence is useful 
in criminal cases, civil disputes, and human resources/employment proceedings. Many 
times computer evidence is created transparently by a computer’s operating system and 
without the knowledge of the computer user. Such information is often hidden from view 
so that special forensic software tools and techniques are required to preserve, identify, 
extract and document it. It is frequently this information that benefits law enforcement 


and military agencies the most while gathering evidence during an investigation. 


With the proliferation of computers in the workplace, it should be no surprise that 
computer technology is involved in a growing number of crimes. As more criminals use 
technology to achieve their goals and avoid apprehension, there is a developing need for 
specialists who can analyze and use digital evidence stored on and transmitted by 
computers. [2] As such, the discipline of computer forensic analysis has emerged to meet 
such needs. Computers can contain evidence in many ways, in electronic mail systems, 
on network servers and on individual's computers. However, due to the ease with which 
computer data can be manipulated, the search and analysis need to be performed by a 
trained computer forensic specialist, otherwise it will likely lead to evidence being either 


overlooked or rendered legally useless. 


E. SURVEY OF AGENCIES AND VENDORS PROVIDING COMPUTER 
FORENSIC COURSES AND TRAINING 


The field of computer forensic investigation is a relatively new addition to the 
forensic sciences. Computer forensic analysis requires a thorough and _ painstaking 
examination of digital evidence. This evidence may take the form of digitally stored 
documents, photographs, sounds, motion pictures, spreadsheets, databases, Internet 
history files, or any other recording in digital form. In addition, the examiner may be 
asked to retrieve these documents or recordings after they have been deleted, fragmented 
or encrypted. This mandates that the forensic examiner have a diverse set of both 


technical and investigative skills. Due to the exponential growth of computer technology 


and the increasing rate of change in that technology, law enforcement and government 
agencies are unable to continually provide qualified computer forensic examiners. When 
the area of computer forensics was established more than a decade ago, there was no 
standard as to what comprises a basic or advanced computer forensic training, education 
or certification program. [9] Since then, there have been numerous activities and efforts 
by the industry and computer security agencies to define the concepts and structures of 
computer forensics. Currently, training in computer forensics is widely available. It is 
offered by government, private and academic organizations, with some programs are only 
available for law enforcement officers. A list of the agencies and vendors providing 
computer forensic courses and training is detailed in Appendix A. These may prove to be 


valuable sources for maintaining staff expertise and course currency in the future. 


F. SURVEY OF READINGS ON COMPUTER FORENSIC 


The number of published books, journals and articles related to computer 
forensics has blossomed dramatically in recent years. Many of these books and 
publications are written within the last three years. In addition, many credible sources of 
information related to computer forensics can be found on the websites of numerous 
interest groups, INFOSEC agencies, law enforcement organizations and _ vendors 
providing computer security solutions. While it is not possible to read and comment all of 
these materials, a list of books on computer forensics has been provided in Appendix B 
with brief editorial reviews and selected readers’ comments. It is hoped that this list will 
facilitate the lecturer and student who is interested in reading material that is beyond the 


scope of the course. 


G. SURVEY OF TOOLS FOR COMPUTER FORENSIC INVESTIGATION 


The use of computer forensics tools is invaluable in gathering computer forensics 
information. Computer forensic software tools can be used to identify passwords, 
backdated files, network logins, files stored in a computers memory and the hard disk; 
and associate an external document to a specific computer. A list of popular computer 


forensics toolkits is consolidated in Appendix C. Due to relatively limited demands for 
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such specialized toolkits, most of these computer forensic suites are not widely advertised 


or promoted. 


Examining a computer for forensic evidence generally requires another computer 
and a set of forensics tools. Various developers and vendors of computer forensic 
analysis software have their own unique perspective on the needs of the investigative 
community and their own approach as to how to meet those needs. An investigator would 
naturally desire a forensic analysis toolbox to have all possible forensic capabilities. 
However, in reality, there is no such a universal toolbox. What the various developers 
and vendors have produced is a suite of tools that meets a significant majority of an 
investigator's needs. James Holley’s Meeting Computer Forensic Analysis Requirements 


[5], which are summarized in Appendix D, provides an overview of such requirements. 


H. DESCRIPTION OF THE COMPUTER FORENSIC COURSE 


This course is intended to provide students with an understanding of the 
fundamentals of computer forensics. Students will examine how information is stored in 
computer systems and how it may be deliberately hidden and subverted. The course will 
establish a sound theoretical foundation on the methods used in extracting information for 
evidential purposes before going on to emphasis practical forensic examination and 
analysis. It will also cover the techniques of computer evidence recovery and the 


successful presentation of such evidence before the court. 


Laboratory facilities will be used to imtroduce students to the use of common 
computer forensic tools, the principle of original integrity, disk examination, logging and 
preparation of evidence. Further descriptions of the laboratory exercises are found in the 


section on Laboratory Setup and Instruction Manual. 


Recommended prerequisites for the Computer Forensic Course shall ideally 
include the incumbent CS3600—Introduction to Computer Security and CS3670— 
Secure Management of Systems. These computer security foundation courses will 
provide students with a good understanding of the security mechanisms that are in place 
in most computer systems and how they can aid in the recovery of digital evidence in a 


forensic analysis. Exposures to hacking techniques and tools in CS3675—Internet 
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Security Resources and Policy, will further enhance the students’ appreciation on the 
characteristics of genetic tracks left behind by these security exploits. However, this 


course is not an absolute prerequisite. 


Based on the scope and magnitude of the course materials, weekly instruction 
with three hours of lectures and two hours d laboratory exercises should be adequate for 
the students to complete the syllabus at a comfortable pace, with opportunities to clarify 
doubts during classes and considering the occasional cancellation of classes on official 


holidays within an academic quarter. 


I. MATERIALS FOR COURSE LECTURES 


The course materials were gathered from various books, journals and orline 
articles. In order to support a course that provides wide coverage of many relevant topics, 


much of the content is derived from the main sources described below. 


Materials on the application of forensic methodology in a computer crime 
investigation were extracted from Digital Evidence and Computer Crime: Forensic 
Science, Computers, and the Internet by Eoghan Casey. [2] The Handbook of Computer 
Crime Investigation: Forensic Tools & Technology, which is edited by Eoghan Casey [3] 
consists of chapters written by a few top experts, provided materials for the three aspects 
of the course. It provided a good description of some of the leading computer forensic 
tools, simple to read technical information for collecting and analyzing digital evidence, 
and case examples of the technical, legal and practical challenges in real computer 


investigations. 


The on-line Computer Forensics Column from the Doctor Dobb's Journal column 
by Dan Farmer and Wietse Venema [4] provided good technical coverage on forensic 
techniques for the Unix and Linux environment. Some of the materials were also 
borrowed from the Unix Computer Forensics Analysis Class that was conducted at the 
IBM Thomas J Watson Research Center in August 1999. These on-line materials are free 


and available on either www.fish.com/security/ddj.html or www.porcupine.org/forensics. 


Last but not least, The Process of Network Security: Design and Managing a Safe 
Network by Thomas Wadlow [10] helped to fill in the management perspectives on 
responding to computer-related incidents and advice on how to facilitate the activities of 


a computer forensic investigation. 


While a course text is not absolutely necessary, the Handbook of Computer Crime 
Investigation: Forensic Tools & Technology, by Eoghan Casey, is a recommended 
reference text. Students who are unfamiliar with Unix or Linux can refer to the on-line 
Computer Forensics Column from the Doctor Dobb's Journal column series by Dan 


Farmer and Wietse Venema. 


J. CONTENTS OF THE COURSE 


The course content is organized into the following twelve sections, each covering 


a specific area related to the topic. 


1. Cyber Crime & Incident Response 


This section starts with an explanation on how computers and networks 
could be used as instruments for crime, the types of cyber crimes and computer 
crime prosecution. Incident response is described in terms of the necessary 
reaction measures, procedural steps and priorities, investigation checklist and risk 


management. 


Zz Introduction to Computer Forensics 


This introduction to computer forensics focuses on the collection and use 
of digital evidence, hardware, information media and physical evidence. It also 
describes the controversies of whether to turn the computer off or leave it running 
when an attack is detected and on reporting the computer crime to the law 


enforcement agencies. 
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3. Application of Forensic Science to Computers 


Computer forensics applies the basic principles of forensic science to 
computer crime investigation. It describes the fundamentals and highlights issues 
pertainng to the recognition, preservation, collection, | documentation, 
classification, comparison, individualization and reconstruction of the digital 


evidence. 


4. Structure for Forensic Investigations 


The structural requirements for forensic investigations emphasizes the 
importance of preserving the integrity of the digital evidence by first testing the 
reliability of the forensic tools used for formulating the leads in the investigations. 
It also highlights some of the specific issues related to data and evidence 
recovery. The last part of this section describes ways to characterize an intrusion 


and how an examiner’s mindset can influence the success of the investigation. 


5: Computer Forensic Procedures 


This section steps through the common computer forensic procedures in 
details. It differentiates the differences between physical from logical 
examinations. It also highlights the challenges of investigating criminal activities, 
problems of gaining access to the relevant data, opportunities for tampering and 
the chain of trust. Understanding the data storage and its logical abstraction are 
necessary for preparing, imaging, processing, filtering, preserving and 
reconstructing the evidentiary images. Thereafter, the digital evidence shall be 


indexed and bates numbered for electronic management and future reference. 


6. Forensics using MAC Times 


MAC Times represent the last time a file was modified, accessed or had its 
attributed changed. The analysis of the MAC Times has often been invaluable in 


helping the examiner understand how files in the system were manipulated or 
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deleted during the crime. The section also cautions how the MAC Times could be 


subjected to tampering. 


7. Forensics on Windows 


This section starts with an introduction of the Windows master file table 
and metafiles for the NT file system and the folder entries for the file allocation 
table. It goes on to describe the characteristics of the recycle bin, shortcut files, 
registry entries, printer spool and operating system logs for the system events, 
internet information server, Exchange mail server, Outlook mail client and Active 
Directory; and how digital evidence can be recovered from these information 


depositories. 


8. Forensics on Unix 


Similar to the previous section, this section starts with an introduction of 
the user permissions, shared files and system services. The numerous standard 
logs and the Shell history files in the Unix operating system commonly provide a 
rich source of digital evidence. The section also describes the process of restoring 
information from backup tapes and on duplicating the hard drive. It notes that 
some of the system events are not necessarily recorded in the system logs and 
how entries in these logs can be manipulated or tampered. Understanding the 
details of the Unix file system, the file attributes, and their logical and physical 
properties, is necessary to comprehend the effects of file deletion and in 


recovering the erased tracks. 


9, Forensics on the Networks 


Computer forensics on the networks poses numerous challenges and 
difficulties due to the voluminous, transient and dispersed nature of the 
information on the network activities. This section describes how information on 
the network traffic could be collected and reconstructed for evidentiary purposes. 


In particular, the Netflow records, dialup server logs, network sniffer, TCP logs 
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and the various logs in the Unix and Windows operating system, address 
resolution cache at the datalink layer and intrusion detection system are valuable 
sources for finding digital evidence on the network activities. Similarly, there are 
also reliability and time synchronization problems related to these logs that the 
examiner must take into considerations. The final part of this section deals with 
network forensics on the application layer, such as emails, relay chat and the 


Internet. 


10. —‘ Forensics on an Unknown Program 


Identifying an unknown program requires analysis tools to study clues in 
the symbol tables and embedded strings in order to understand exploit code and 
backdoor code. Valuable information can be gathered from the system 
configuration, system and user programs, system and kernel memory, raw 
memory and the disk, or from the IP hostnames. This section also gives an 
example showing the determining of an unknown program that was installed 


through a compromised root account. 


11. Forensics on Intrusion Activities 


This section brings together the knowledge from the previous sections to 
perform forensic examinations on intrusion activities and reconstruction of the 
user activities. It looks at some of the unmistakable rootkit signatures and the 
tools and methods for collecting the digital evidence in areas such as program 
analysis, memory examination, remote network examination, process capture and 
system call trace. A forensic case example is also used in the latter part of the 
section to step through an investigation of a suspected intrusion, with follow up 


actions and a post mortem. 


12. Forensics on Wireless Network 


Forensic examinations on the wireless network centers mainly on the 


mobile phone network, covering areas such as the circuit switched wireless 
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network, the mobile device, the SIM card, the switching center, the various 
registries, the operational and maintenance center, encryption, billing database, 
wiretapping and location-based services. This section concludes with a_ brief 


description on the analysis of the 802.11 wireless local area network. 


K. LABORATORY EXERCISES 


Since computer security education and training is not an abstract academic 
discipline, it lends itself to the use of laboratory exercises. Formal classroom instruction 
needs to be augmented with case study analysis and projects necessary to impart such 
analytic and technical skills. [1] In addition, laboratory exercises help students 
understand and internalize key concepts. The use of tools and methods from both 
academic programs and industry can help instructors build useful laboratory programs to 


clarify the concepts and provide interesting challenges for the students. 


The objective of the course is not to train students in the details of a particular 
product or to pass a standardized classroom test. Rather, the focus & on developing the 
students’ analytical skills to tackle any computer security incidents that may arise. A set 
of laboratory exercises is thus designed to illustrate the computer forensic concepts being 
taught in class. Students will learn to use operating system tools and rootkits to extract 
useful digital evidence as well as lay their hands on professional computer forensic 


software. 


L. SUMMARY OF THE LABORATORY EXERCISES 


The laboratory manual is organized into seven sections covering the main topic 


areas in the course. 


1. Foundstone Forensic Toolkit 


The Foundstone Forensic Toolkit contains several Win32 command line 


tools to help examine files on an NTFS disk partition for unauthorized activity. 
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These open source tools scan the disk for hidden files and chta streams, and list 


them with their MAC time without tampering the data attributes on the disk. 


2. EnCase (Guidance Software) 


EnCase is a powerful and non-invasive computer forensic tool featuring 
a graphical user interface that enables examiners to easily manage large volumes 
of computer evidence and view files, file slack and unallocated data. The 
integrated functionality of EnCase allows the examiner to perform all functions of 
the computer forensic investigation process, from the initial previewing of a target 
drive, the acquisition of the evidentiary images, the search and recovery of the 


data and the final reporting of findings, all within the same application. 


3. AccessData Forensic Toolkit 


The AccessData Forensic Toolkit (FTK) is a handy utility offering a 
complete suite for performing forensic examinations of computer systems. Its full 
text indexing offers quick advanced searching capabilities. Its deleted file 
recovery and file slack analysis are commendable. FTK is also interoperable with 
other AccessData utilities such as password recovery and encryption file 
identification programs. In addition, the FTK incorporates Stellent's Outside In 
Viewer Technology to access over 255 different file formats. The Known File 
Filter (KFF) feature can be used to automatically pull out benign files that are 
known not to contain any potential evidence and flags known problem files for 
the investigator to immediately examine. FIK can also support evidence files 


acquired by EnCase, Snapback, SafeBack and Linux DD. 


4. Windows Event Log Analysis 


Microsoft WinNT/2K can be configured to log events in binary files to 
record System events, Application events and Security events. These event logs 


store the descriptive messages in the registry and the separate executables or 
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dynamic link library files. The Event Viewer combines and displays the 
information in these files, providing a convenient way to view the data. 
Consequently, copying event log files from one system to another for examination 
may result in misinterpretation when viewing event logs on a remote system. The 
Event Viewers will read the event record data from the remote log files, but will 
search the registry of the local system for the corresponding event message files. 
Unless the forensic PC have similar configuration to the imaged system, it is 
necessary to extract all the registry keys and event message files from the image. 
By viewing the extracted logs using the Event Viewer, it is possible to create a 
short list of missing event message files and configure them in the forensic PC 
accordingly. Otherwise, the Event Viewer will not display explanatory material 


for any event for which there is no associated event message file. 


5. DumpEvt (SomarSoft) 


It is evident from the previous exercise, the clumsiness of performing 
manual Windows event log analysis on a remote forensic PC. Moreover 
displaying the logs using the Event Viewer is not very conducive for analysis 
since the Event Viewer is not integrated with other data processing tools. Besides, 
performing separate log analysis on individual machines in a_ networked 
environment does not readily link a related event across multiple machines. 
Rather, importing the contents of multiple machines’ log files into a spreadsheet 
makes it easier to sort events chronologically and search the logs simultaneously. 
DumpEvt is a utility designed to dump multiple event logs in a format suitable for 


importing into a database to facilitate more event log analysis. 


6. Unix Log Analysis 


Unix serves as a wonderful training ground for computer security 
specialists. It teaches about access permissions for objects, builds on MS-DOS 
knowledge, and expands on MS-DOS piping and redirection capabilities. Using 


Unix scripting capabilities similar to DOS batch file, an investigator can create 
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combinations of commands into specialized programs to conduct security audits 
and to do granular file searching. The Unix system also has a comprehensive set 
of system configuration files that can prove to be an invaluable source of 


information. 


Te Network Analysis 


Analyzer is a fully configurable network analysis program for Win32 
environment. It captures packets from network and displays them through a user- 
friendly graphical interface. Analyzer is capable of capturing packets from the 
network for real time monitoring and creating capture files. It allows the examiner 
to describe the protocol format, customize the display of the packets, evaluate 
statistics, plot graphs, set query on the analysis engine and set filter to record 


packets at the MAC, Network, Transport or Application Layer. 


The intention of the laboratory exercise is not to spoon-feed students with step- 
by-step instructions on how to conduct a forensic examination. Rather, students will be 
expected to actively search for the relevant information, user instructions, software 
downloads, and put into practice the course concepts, in carrying out the exercises. This 
is to build up their resourcefulness and creativity towards tackling future forensic 
examinations. Pertinent technical guidance is included in each of the exercises in order to 


help them get started. 


All the exercises will require students to have access to the Internet to download 
the software tools and if required, seek clarifications or technical support from the vendor 
on emails. However, this does not necessarily require the forensic machines to be 
connected to the external network. Rather, some of the exercises only require a 
standalone forensic machine with evidence already captured on a diskette, while others 
only require the forensic machine to be interconnected with the subject machines in a 
local area network. Implicit in the laboratory instructions is the preparation of the 


relevant evidence files by the laboratory technician for the students’ forensic 
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investigations. Subject evidence issued to the student project groups shall preferably 


contain subtle differences between the groups to discourage duplications. 


The laboratory exercise involving the EnCase forensic tool will require the 
forensic machine to be attached with a physical dongle on its parallel or USB port. This is 
a copyright protection feature. The user name and the corresponding password distributed 
with the licensed software are also necessary for downloading the latest software version 
of the forensic tool from the Guidance Software’s website. All the other laboratory 
exercises are based on the inherent operating system utilities, freeware or demonstration 
software, which can be obtained from the relevant websites without cost. The 
demonstration software may include certain’ restrictions on its functionalities. 


Nevertheless, they are adequate for students to fulfill the laboratory requirements. 


M. CONCLUSION 


Becoming a computer forensic expert demands more training and experience than 
the brief introduction that can be afforded by this course. Computer forensics warrants 
technical expertise across a wide range of operating systems, hardware, and network 
devices and protocols. It is thus not the aim of this thesis to develop a course that will 
encompass all the necessary technical disciplines in order to produce graduates who will 
immediately become computer forensic experts. Rather it is hoped that the knowledge 
and laboratory exposure gained from the course will allow them to correctly respond to 
detected computer intrusions and unauthorized activities they may encountered on their 
C4I systems and facilitate those who aspire to become a full-fledged computer forensic 
expert, to start with by equipping them with the fundamentals in this specialized 


discipline of computer security. 
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APPENDIX A: LIST OF AGENCIES AND VENDORS PROVIDING 
COMPUTER FORENSIC COURSES AND TRAINING 


1. AccessData Corporation 
www.accessdata.com 


AccessData Corporation has been doing business in the computer forensic and 
cryptography fields since 1987 and has established itself as a password recovery 
expert. Since then, AccessData has developed a trusted relationship with the US 
Government, state and local law enforcement, and corporate America. To help 
keep government agencies and corporate security departments up to date with 
current computer forensic technology, AccessData has developed training 
seminars to help both the novice and expert computer specialists. 


A 4-day Computer Forensic Training Class costs $1600 (not inclusive of 
software). The course covers basic computer forensic fundamentals and training 
on AccessData's Forensic Toolkit, Password Recovery Toolkit, and Distributed 
Network Attack Toolkit. 


2. ASR Data Acquisition and Analysis 
www.asrdata.com 


ASR Data Acquisition and Analysis is a leading authority in the field of 
computer investigations by the United States Department of Justice. It provides 
software solutions, training and technical support to meet the needs of law 
enforcement agencies. 


ASR _ offers six computer forensic courses, namely the Data Acquisition 
Protocols Course, the Data Analysis Protocols Course and the Computer Crime 
Investigative Techniques Course for either DOS/Windows or Macintosh. These 
courses are geared toward the use of the Expert Witness, an automated 
computer forensic application created by ASR. 


3. Berryhill Computer Forensic 
www.computerforensic.com 


Berryhill Computer Forensic provides computer forensic services to law 
enforcement agencies, attorneys, private investigators and businesses. It owns 
expertise and experience in handling evidence in criminal and civil cases, and 
also facilities to secure sensitive material. It caters mainly to law enforcement 
agencies in the Californian region. The Computer Forensic in Law Enforcement 
Course provides basic training in computer seizure procedures and computer 
evidence analysis for law enforcement officers. 
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CompuForensic 
www.compuforensic.com 


As a small business, CompuForensic offers computer forensic training in 
association with the Wright State University (WSU) in Ohio and Southern 
Methodist University (SMU) in Texas. CompuForensic specializes in the 
development of high quality computer forensic training. Previously restricted 
to full-time government employees or a select group of corporate security 
investigators, the computer forensic training is now available to the general 
public through the two universities. 


A 4-day Basic Computer Forensic Initial Response Team Training costs 
$1995. It also includes the issue of commercially licensed software such 
as Norton Utilities, Quick View plus, Partition Magic, Norton Ghost and 
selected Maresware forensic utilities. The course is designed to equip 
computer investigators and analysts with the skills needed to safely locate and 
secure computer evidence at the search site. 


A 4-day Advanced Computer Forensic Initial Response Team Training costs 
$1495 and employs the same software coupled with a major Linux 
distribution. A 1-day Program Manager’s Course is designed for managers 
involved in supporting and supervising computer forensic operations. 


Computer Sciences Corporation 
www.csc.com 


Computer Sciences Corporation (CSC) administers the Department of 
Defense Computer Investigations Training Program (DCITP) computer 
forensic program under contract to train the Department of Defense (DoD) 
criminal and counterintelligence investigators in computer forensic. 


A 3-week Field Forensic Examinations curriculum is patterned after the 
Preparation, Preservation, Duplication, Investigation and Reporting (PPDIR) 
framework. It emphasizes on the evidence chain of custody and _ technical 
investigative software tools. Students are given three days to conduct an 
actual graded practical examination of a computer hard drive without 
technical assistance. Students also participate in a half-day mock trial where 
actual trial and defense attorneys question and cross-examine them on their 
findings from the graded examination. 


Cranfield University, Royal Military College of Science 


www.cranfield.ac.uk 


The Center for Forensic Computing in Cranfield University, Royal Military 
College of Science (RMCS) is one of the very few institutions offering 
Forensic Computing postgraduate education leading to a Masters of Science 
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(3. years part-time program) or Postgraduate Diploma (2 years part-time 
program). It also offers short courses such as the Forensic Computing 
Foundation Course, Forensic Internet Course, and the Forensic Network 
Course. These 2-week short courses are also taught and discussed at the 
postgraduate level. 


These courses provide an understanding of the principles and_ practical 
methods employed in the extraction of information for evidential purposes 
from computer systems. They examine how information may be stored in 
computer systems and how it may be deliberately hidden and subverted, 
thereby to gain an understanding of the methods and techniques used in the 
extraction of information for evidential purposes. 


Department of Defense Computer Investigations Training Program 
www.dcitp.gov 


The Department of Defense Computer Investigations Training Program 
(DCITP) is dedicated to the development and delivery of computer 
investigative training for the following DoD elements: Defense Computer 
Forensic Lab (DCFL), Air Force Office Of Special Investigations (AFOSD, 
Naval Criminal Investigative Service (NCIS), Army Criminal Investigations 
Division (CID), Military Intelligence Group (WB), Defense Cnminal 
Investigative Service (DCIS). The DCITP offers a healthy variety of computer 
forensic short courses. 


A 3-day Introduction to Computer Search and Seizure Course is designed to 
provide knowledge to properly seize and maintain the evidence value of 
computer media. 


The System Administrator Incident Preparation and Response Course is a 
computer- based training distributed by Data Interchange Standards 
Association (DISA). It provides instructions in computer crime activities and 
specific practices to protect computer systems and support computer 
investigations. 


The Basic Evidence Recovery Techniques Course is a scenario-based course 
for general computer-related crime. It includes extensive practice on imaging 
media on DOS and Windows 95/98. The course concludes with the creation of 
a case folder containing evidence for forensic analysis. 


The Basic Forensic Examinations is a scenario-based course that focuses on 
media analysis. Principles of forensic analysis are presented with tools 
commonly used in the field, such as Encase. Students will learn preparation, 
image restoration, both FAT and NTFS file and directory structures, recovery 
of deleted files, and other analysis topics. The course concludes with the 
creation of a report detailing the forensic findings for the scenario. 
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The Incident Response in a Network Environment Course is a scenario-based 
course on network intrusions. Students will learn basic system administrator 
functions and extract information of evidentiary value from log files, user 
information and access rights. Students are given extensive practice on 
collecting images in a network environment. 


The Managing Computer Investigations Course familiarizes students with the 
duties and activities common to the computer crime investigators. 


The Field Investigations in a Solaris Environment Course prepares students to 
perform in-depth investigative functions in a Solaris operating system 
environment. This is a scenario-based course. Students will complete an 
investigation by performing forensic media analysis and log file analysis on a 
Solaris network. 


The Field Investigations in a Windows NT/2K Environment Course prepares 
students to perform in-depth investigative functions in a NT/W2K operating 
system environment. Students will complete an investigation by performing 
forensic media analysis and log file analysis across a NT/W2K network. 


DIBS USA Inc 
www.dibsusa.com 


DIBS USA Inc is a privately owned, independent corporation specializing in 
forensic computing, with activities in three main areas, namely the design, 
manufacture and supply of a range of computer forensic equipment; the 
provision of computer forensic analysis services and the training of 
investigators in computer forensic techniques and practice. 


A 1-day intensive introductory course, Understanding Computer Forensic, 
costing $469, provides an overview in computer forensic theory and practice. 
This course is appropriate for professionals in related fields but not for those 
specializing primarily in computer forensic. 


A 2-day course, Computer Forensic — The Essential Techniques, is designed 
to give a more solid foundation in the theory and practice of essential 
computer forensic techniques. The practical aspects of the course involves a 
number of simulated investigations on how to make image copies using the 
range of DIBS equipment for analysis and presentation to court. The course is 
suitable only for beginner with little previous experience or the more 
experienced computer operator wishing to learn basic forensic techniques. 
The fee for the course is $1130. 
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Federal Bureau of Investigation 
www .fbi. gov 


The Computer Training Unit (CTU) at the Federal Bureau of Investigation 
(FBI) Academy provides investigative computer instructions, training, and 
curriculum development to FBI and other foreign law enforcement personnel. 
Primarily, CTU trains its students on how to use the computer as an 
investigative tool, computer fraud, computer crimes, intrusions, search and 
seizure of computer as well as how to use the computer as a source of 
information. 


Federal Law Enforcement Training Center 
www .fletc.gov 


The Federal Law Enforcement Training Center (FLETC) serves as an 
interagency law enforcement training organization for numerous Federal 
agencies throughout US. The center also provides services to state, local and 
international law enforcement agencies. 


The Seized Computer Evidence Recovery Specialist Traimimg Program 
introduces the concept of automated data processing and the techniques and 
procedures for investigative computer search, seizure and analysis issues of a 
multitude of operating systems. The curriculum also addresses the legal issues 
related to computer evidence. 


Foundstone 
www.foundstone.com 


With a combination of outstanding personnel and _ industry-leading 
methodologies, Foundstone delivers computer-security services in consulting 
and education. It provides professional services in penetration testing, e- 
commerce application testing, incident response and computer forensics, 
product testing, wireless security testing as well as expertise in Microsoft 
environments utilizing ISA Server technology. 


A 4-day Incident Response & Computer Forensic Course ckals with forensic 
techniques to recognize, respond to, and recover from insider and outsider 
attacks. Students learn the science of incident response through presentations 
and hands-on lab exercises. This includes an in-depth study of the computer 
forensics process from creating evidentiary disk images to recognizing the 
often-faint trail of unauthorized activity. Students will also learn step-by-step 
incident-response procedures for Unix and Windows NT/2K. Lab Exercises 
include forensic analysis of victimized systems, review of network traffic and 
intrusion-log, review of backdoor tools that circumvent intrusion-detection 
systems, determining the function of unidentified processes, detection of 
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loadable kernel modules, rootkits and trojans. The course costs $3500. 


Fred Cohen & Associates 
www.all.net 


Fred Cohen & Associates is one of the world’s leading researcher and 
corporate consultant in the area of information protection. It specializes in 
top-level assessment of corporate protection programs, strategic scenario 
development for national policy decisions, risk management support for large 
multinational corporations, strategic program planning, Internet firewall 
suitability assessments, electronic commerce architecture analysis and 
effectiveness testing for critical infrastructure elements. 


The Digital Forensic Course is a self-paced CD-ROM instruction providing a 
comprehensive overview of digital forensic with a slight focus on the Unix 
operating environment and examples from many other sorts of systems. It 
includes viewgraphs covering a wide range of topics in digital forensic, audio 
recordings and examples from real cases. A copy of the CD-ROM costs $249. 


Guidance Software 
www.guidancesoftware.com 


Guidance Software is one of the leaders in computer forensic software, 
acquisition hardware and training. Guidance Software is well known for 
developing EnCase, a comprehensive software that handles every stage of 
computer forensic investigations, from the preview and acquisition of an 
evidence drive to the generation of a final report. 


Guidance Software offers three training courses on the EnCase Computer 
Forensic Methodology at the introductory, intermediate and advanced level. 
The introductory course introduces students to the field of computer forensic. 
The intermediate course addresses data recovery techniques. The advanced 
course involves advanced data recovery techniques and an in-depth study of 
file systems. The course fees for each of he 4day course are $2000, $2500 
and $3000 respectively. 


High Tech Crime Consortium 
www.hightechcrimecops.org 


The High Tech Crime Consortium (HTCC) provide practical information and 
hands-on training on _ evidence seizure, handling and _ storage, legal 
requirements and search warrant preparation, computer criminal behavior 
analysis and guidelines for planning, personnel considerations, field seizure 
team development 


The HTCC proposal for a Certificate in Computer Forensic consists of 45 
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quarter hours curriculum for basic computer forensic, high technology 
incident response, high technology vulnerability assessments, risk 
management and high technology infrastructure protection management. Two 
other specialty courses, Computing Forensic I and Computing Forensic II are 
taught using computer-based instructions. 


High Tech Investigators Association 
www.htcia.org 


The High Technology Crime Investigation Association (HTCIA) is an 
organization designed to encourage, promote, aid and effect the voluntary 
interchange of data, information, experience, ideas and knowledge about 
methods, processes, and techniques relating to investigations and security in 
advanced technologies among its membership. It organizes regular computer 
forensic training conferences for law enforcement personnel under its 
Regional Training Program. These training conferences are restricted only to 
law enforcement personnel. 


High Tech Crime Network 
www.htcn.org 


The High Tech Crime Network (HTCN) issues certifications on a variety of 
high ech crime related topics through courses provided by its list of approved 
agencies, organizations or companies. HTCN does not directly provide such 
training. Rather, it offers both basic and advanced certifications for Certified 
Computer Crime Investigator, Certified Computer Forensic Technician, 
Certified Computer Crime Prosecutor, Certified Computer Crime Attorney 
and the Certified Network Security Professional. These certifications are 
issued as a result of acquiring the required experience, course hours and 
successfully completing a written test. They serve to provide a higher degree 
of professionalism and continued training and support within the high tech 
crime industry. The cost for each of the certifications is $250. 


Institute of Police Technology and Management, University of North Florida 
www.iptm.org 


The Institute of Police Technology and Management (IPTM), University of 
North Florida is established to provide specialty training to law enforcement 
agencies in community policing. 


A 5-day Computer Crime Investigations Course is designed to train law 
enforcement investigators in the latest techniques of modern computer crime 
investigation. The course includes practice on preparing search warrant 
documents for the seizure of a suspect’s computer, how to image and examine 
the system for evidence relating to a criminal offense, and how to present this 
evidence for prosecution. It also includes the use of the Internet to conduct 
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follow-up investigative work pursuant to an ongoing investigation. The cost 
fee is $795. 


International Association of Computer Investigative Specialists 
WWw.cops.org 


The International Association of Computer Investigative Specialists (IACIS) 
is a volunteer nonprofit corporation composed of law _ enforcement 
professionals dedicated to education in the field of forensic science. The 
international computer investigative organization provides both a network for 
trained investigators and an annual basic training conference for law 
enforcement professionals. 


The Law Enforcement Computer Forensic Training is a 2-week course 
costing $1395. It consists of both classroom and hands-on training. The 
course outlines generic computer crime investigations, such as interpreting 
and tracing email, identification of electronic evidence and the proper 
collection method to preserve the integrity of such evidence. The course also 
includes sector level examination and analysis of hard disks and removable 
media, data recovery, identification and handling of data destructive software 
schemes, encryption theory and decryption techniques. After completion of 
the 2-week course, a basic examiner is required to complete a set of forensic 
investigation problems via home study before receiving certification. The 
students are given one year to complete the hands-on technical examinations 
on the issued computer media without the use of any automated forensic 
processing software. 


International Association of Directors of Law Enforcement Standards and 


Traini 
www.ladlest.org 


The International Association of Directors of Law Enforcement Standards and 
Traming (IADLEST) is an international organization whose mission is to 
research, develop and share information, ideas and innovations in establishing 
effective and defensible standards for employment and training of law 
enforcement officers. Its primary focus is criminal justice standards and 
training. It does not directly conduct any formal computer forensic training, 
but offers a list of computer forensic courses conducted by the Law 
Enforcement Training Center, the Police Training Institute, and the Institute 
of Police Technology and Management. 


Internet Crimes, Inc 
www.internetcrimes.com 





Internet Crimes, Inc is a subsidiary of PowerPhone, Inc. It offers on-site, 
hands on training for law enforcement agents, government officials, attorneys, 
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and computer security professionals in the area of Internet crime 
investigations. Its staff includes computer crime investigators and attorneys 
who have worked on computer crimes cases. Internet Crimes, Inc. is one of 
the official traming provider for the High Technology Crime Network 
(HTCN). 


A 5-day Computer Crime Investigators Certification Program costs $649. The 
topics covered include examples of computer crimes, introduction to 
computer forensic, computer evidence collection and crime specific 
investigations. 


A 3-day Computer Fraud and Financial Crime Investigation Program costs 
$599. Topics covered include introduction on theft of identity, intellectual 
property, fraud, piracy, scams, counterfeiting and the relevant investigative 
tools and techniques. 


Key Computer Service, Inc 
www.keycomputer.net 


Key Computer Service, Inc. is a small corporation that specializes in 
computer forensic. It has a full range of technical and investigative expertise 
providing computer forensic examination, data recovery, password recovery 
and other electronic data services. In addition, it also provides self-paced on- 
line training in computer forensic and data recovery. 


The Computer Forensic Course is broken up into five modules and the fee for 
the on-line instructions is $2250. The course covers processes and 
methodologies to conduct forensic examinations and the recovery of evidence 
and data from magnetic media with the use of specially prepared practical 
exercises. The practical exercises will require students to create and verify 
forensically sterile examination media, to create forensic boot diskettes, to 
make forensic copies of media, to find and recover deleted, formatted, hidden 
and lost data, to access mail, cache and other nternet related files, to unlock 
passwords, data format conversion, to provide opinions regarding 
examinations and a complete hands-on examination of a specially prepared 
hard disk drive with real life forensic issues. Software provided as part of the 
course includes the Wiper, FreeSecs and DiskDupe disk utilities, ListDrv and 
ChkSum. 


The Data Recovery Course is broken into three modules and the fee for the 
on-line instructions is $1650. The course covers physical crash recovery 
techniques, as well as data recovery from raw media that has no directory or 
sub-directory listings. The online instruction is also accompanied with 
related practical exercises. 
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Knowledge Solutions Campus 
www forensic-science.com 


Knowledge Solutions specializes in delivering on-line instructions on forensic 
science. It has onboard, qualified and experienced instructors who have done 
leading edge casework in their fields. One of the instructors is Eoghan Casey, 
an author and editor of several books on computer forensic. Lesson plans and 
assignments are posted weekly as web pages with web-based discussion 
forum to allow interaction among fellow students and the instructor, post 
questions and exchange ideas. Students are expected to spend about 5 hours 
per week for the on-line instructions. 


Knowledge Solutions offers a range of courses on forensic sciences, and four 
modular courses specifically on computer forensic. The Introduction to 
Internet Crime Course, and the Introduction to Digital Evidence and 
Computer Crime Course are both 3-week long, each costing $75. The 
Investigating Internet Crime Course and Advanced Digital Evidence Course 
are 10-week long and cost $225 each. These courses are based on material in 
Eoghan Casey’s book on Digital Evidence and Computer Crime: Forensic 
Science, Computers, and the Internet. 


Kroll 
www.krollworldwide.com 


Kroll is a leading risk-consulting company offering professional services in 
analysis of intelligence, assessment of threats and implementation of 
measures to offset risks relating to a wide range of current and potential 
difficulties. They include internal controls, employee or vendor malfeasance, 
threats to corporate security, intellectual property theft, and financial 
improprieties. 


The Kroll Information Security Group provides a variety of courses designed 
for forensic and network investigative certifications. The Introduction to 
Technology Crime/First Responder Course is a 5-day introductory program to 
the field of technology crime. At the conclusion of the course, students will be 
able to recognize the occurrence of technology crimes, as well as preserve and 
collect necessary items of evidence. The cost for the course is $1595. The 
Computer Forensic Course is a 5-day program at $1695. It covers the 
fundamentals of forensic investigations. The Internet Investigation Course 
introduces students to the configuration and operations of the Internet and 
techniques for conducting investigations on the Internet. The 5-day program 
costs $1595. The LAN Investigation Course introduces students to the 
principles of computer networks, common network configurations and some 
of the considerations that investigators need to consider when they encounter 
computer networks. The 5-day program costs $1695. The Electronic 
Discovery and Forensic, Continuing Legal Education Course is an 8-hour 
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custom seminar to present attorneys with a familiarization to computer 
forensic and electronic recovery. 


LC Technology International, Inc 
www.lc-tech.com 


LC Technology International, Inc is a developer of PC-based utility software. 
As the end-user market increases and users become more sophisticated, LC 
Technology is experiencing large increases in sales outside of its core 
business. Its core product line is designed to fill the security needs of data 
protection, recovery and security of digital data) LC Technology offers a 
series of 3-day course costing $1250 each. 


Both the Basic and Advanced Computer Forensics Course are designed to 
train corporate and law enforcement investigators in the basic elements of 
computer forensic investigation. Through hands-on practice, students will 
learn how to properly seize and examine an IBM-based PC and related media 
for evidence relating to a criminal or civil offense. 


The Homeland Defense Digital Investigations Program is designed to train 
corporate and law enforcement investigators in computer and digital 
investigations relating to domestic terrorism suspects. Students will conduct 
examinations of digital media captured from actual domestic terrorism cases 
and will work as a team to develop credible intelligence. Emphasis will be 
placed on the recovery and examination of terrorist e-mails and the use of 
encryption by terrorist cells. 


The Investigating Internet Crimes Against People Program includes a 
statutory overview of Internet and computer crimes, setting up an omline 
Investigation, a hands-on laboratory simulating an internet investigation, 
acquiring and preserving digital evidence. During the exercise, students will 
use the data recovery and forensic tools, and learn the techniques to conduct a 
thorough computer forensic exam for a courtroom presentation. 


Mares and Company, LLC 
www.dmares.com 


Mares and Company, LLC is a small company that provides computer 
forensic examinations and _ periodically hosts computer forensic and 
MARESWARE training seminars to state and local law enforcement. 


A 5-day Basic Computer Forensic Seminar costs $1000. The topics covered 
include search warrant wording, creating forensic boot disks undeleting files, 
preserving disk evidence, forensic processing, imaging and _ copying 
procedures. 
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A 2-week Advanced Computer Forensic Seminar cost $2000. It covers more 
complex topics and include more hands-on and practical exercises such as in 
depth command line usage and designing complicated script batch files, disk 
editing, preserving disk evidence, forensic processing, hashing techniques, 
disk cataloging, imaging and copying procedures, process validation and 
automating the seizure process. 


A 5-day Maresware Forensic Software Computer Training cost $800. The 
topics covered include how to use Maresware forensic software for 
performing forensic analysis of computers with a significant amount of 
hands-on practice using the Maresware forensic software. Students will 
practice with and become familiar with the capabilities of the software, thus 
developing a better understanding of what the software is capable of and how 
to use it more efficiently when doing forensic and data analysis. 


National White Collar Crime Center 
www.cybercrime.org 


The National White Collar Crime Center (NW3C) is a non-profit organization 
funded by the Department of Justice, Bureau of Justice Assistance. It provides 
support to local and state enforcement agencies involved in the prevention, 
investigation, and prosecution of economic and high-tech crime. It conducts a 
Basic as well as an Advanced Data Recovery and Analysis Course. These 5- 
day courses are sponsored by the National Cybercrime Training Partnership 
(NCTP). There is no fee for the courses and they are open only to law 
enforcement personnel. 


The Basic Data Recovery and Analysis Course includes hands-on instructions 
and discussion about evidence identification and extraction, hardware and 
software needed to do a seizure, how to recover erased files, how to overcome 
encryption and high-tech legal issues. The Advanced Data Recovery & 
Analysis Course takes the students into more varied and complex technical 
areas such as large hard drives, new partition types, long file name and date 
stamp issues, FAT, NTFS, advanced imaging, alternate media, transient data, 
internet issues and testimony considerations. 


New Technologies, Inc 
www forensic-intl.com 


New Technologies, Inc (NTI) provides consulting services to large law firms 
and corporations concerning e-commerce evidence and general computer 
evidence issues. NTI also provides software tools and advisory services to 
military and intelligence agencies in computer security risk identification and 
on the elimination of such risks. Its primary expertise lies in the development 
of state-of-the-art computer forensic and risk assessment tool, computer 
forensic training and computer evidence consulting. 
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A 1-day Data Imaging Course deals specifically with issues related to creating 
evidence grade bit stream copies of computer hard disk that may contain 
electronic evidence. The training course will include detailed instructions and 
hands-on experience in using NTT's forensic tools developed for the bit stream 
backup imaging process. These tools, provided with the course, include 
SafeBack, Disk Scrub and M-Sweep. 


A 1-day Forensic Training Course is intended as an overview of computer 
evidence processing techniques and the use of NTIT's automated computer 
forensic software. The software provided with the course includes DiskSig, 
CrcMD5 and NTIDoc documentation tool. 


A 3-day Computer Forensic Course deals specifically with DOS and 
Windows 95/98/ME. It covers evidence preservation, evidence processing 
methodologies and computer security risk assessments in detail. Recently, the 
course content has been expanded to support US Government’s needs on 
computer incident responses and computer forensic binary data searches for 
foreign language computer data. This hands-on training course exploits the 
inherent security weaknesses of the operating systems to find computer 
evidence and security leakage of sensitive data. The students will receive a 
suite of NTI forensic software. The course costs $2295. 


A 2-day Network Forensic Course is intended to supplement the 3-day 
Computer Forensic Course and deals specifically with the Windows NT/2000. 
The course includes instructions and hands-on experience in using the NTI 
forensic tools on the processing and analysis of NTFS related evidence. They 
include PTable, DiskSearchNT, GetSlackNT, GetFreeNT, NTICopy and 
FileListNT. Students will receive a copy of these specialized forensic tools. 


Ohio Peace Officer Training Academy 
www.ag.state.oh.us/opota/opota.htm 


The Ohio Peace Officer Training Academy (OPOTA) is administered by the 
Attorney General through the Ohio Peace Officer Training Commission. The 
commission establishes uniform courses of training for law enforcement 
officers and private security throughout Ohio. It offers training subjects 
ranging from criminal investigation to the use of firearms. All the computer 
forensic courses offered by OPOTA are restricted to active law enforcement 
only. 


A 4-day Basic Computer Data Recovery Course is designed for law 
enforcement personnel responsible for forensic data recovery from seized 
computers. The course emphasizes the safe preservation and recovery of 
computer evidence. The course fee is $375. 
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A 5-day Intermediate Computer Forensic Course is designed to prepare law 
enforcement personnel for more advanced investigations on systems such as 
Windows NT/2K, Unix and Macintosh, data recovery from networks and 
other advanced problems generally faced by computer forensic specialist. The 
course fee is $275. 


A 4-day Internet Investigation Course is designed for law enforcement 
personnel responsible for investigating crimes involving the Internet. Topics 
include case preparation, email and IP tracing, viruses and introduction to 
intrusions. The course fee is $225. 


University of New Haven 


www.newhaven.ed 


The University of New Haven offers on-line courses for undergraduate and 
graduate credit toward degrees in criminal justice in the areas of forensic 
computer investigation and information protection and security. Among its 
faculty is Fred Cohen, who is best known as the inventor of computer viruses 
and virus defense techniques. 


The Certificate in Forensic Science/Forensic Computer Investigation requires 
12 academic credits from a list of related online courses such as Computer 
Crime, Legal Issues and Investigative Procedures Computers, Technology 
and Criminal Justice Information Management Systems, Advanced Crime 
Scene Investigation. Each of the 3-credit on-line course costs $1335. 


Veridian 
www.veridian.com 


Veridian is a designer and operator of secure, intelligent network 
environments. Leveraging 25 years of experience gained from protecting 
important components of the country's communications infrastructures, 
Veridian offers a full suite of leading-edge network and information security 
services and products. As a knowledge applications provider, it develops 
integrated systems and applications, establishes secure network environments 
to make intelligent decisions. 


A 10-day Macintosh Forensics Analysis Course provides a short overview of 
the Apple hardware and software, the Macintosh 9.0.4 operating system and 
highlights system functions and features that are important for a forensic 
examination. Students will learn how to map a Macintosh hard drive and learn 
places to discover hidden data. Students will also learn to use selected 
software tools during the hands-on exercises. The fee for the course is $5190. 
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APPENDIX B: LIST OF READINGS ON COMPUTER FORENSICS 


1. Avoiding Cyber Fraud in Small Businesses: What Auditors and 
Owners Need to Know 
by Jack Bologna, Paul Shaw and G. Jack Bologna 
John Wiley & Sons, May 2000 





This book provides critical guidance on what auditors and businesses can do 
to prevent and detect the most rapidly growing kind of fraud—cyber fraud. 
Here, auditors, business owners and managers—the ones being held 
accountable when this kind of criminal activity is detected—will learn how to 
beware of the dangers of internal theft by computer, illegal access to 
information systems, credit card frauds, Internet scams and insure that 
adequate controls are in place for its prevention and detection. 


2. Computer Crime: A Crimefighter's Handbook | —aoaeiER 
by David J. Icove, David Seger Karl Icove, Karl A. Seger and GRIME 
Vonstorch a) 


O’Reilly & Associates, Inc. 


Terrorist attacks on computer centers, electronic fraud on international funds 
transfer networks, viruses and worms in software, corporate espionage on 
business networks, and crackers breaking into systems on the Internet. 
Computer criminals are becoming ever more technically sophisticated, and it's 
an increasing challenge to keep up with their methods. The book is for readers 
who need to know what today's computer crimes look like, how to prevent 
them, how to detect, investigate and prosecute them if they do occur. It 
contains basic computer security information as well as guidelines for 
investigators, law enforcement, computer system managers and 
administrators. 


The book contains a discussion on computer crimes, the computer criminal 
and computer crime laws. It describes the various categories of computer 
crimes and profiles the computer criminal using techniques developed for the 
FBI and other law enforcement agencies. It outlines the risks to computer 
systems and personnel, operational, physical, and communications measures 
that can be taken to prevent computer crimes. It then discusses how to plan 
for, investigate, and prosecute computer crimes, ranging from the supplies 
needed for criminal investigation, to the detection and audit tools used in 
imvestigation, to the presentation of evidence to a jury. It also contains a 
compendium of the computer-related US federal statutes and all of the 
statutes of the individual states, as well as representative international laws. 
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Lastly, the book contains a resource summary, detailed papers on computer 
crime and a sample search warrant for a computer crime. 


Cyber Crime Investigator's Field Guide 
by Bruce Middleton 
CRC Press, December 2001 


This book provides the details of investigating computer crime and the chain 
of evidence from what to do upon arrival at the scene until the investigation is 
complete. It covers information such questions to ask the client, steps to 
follow when arriving at the client's site, procedures for collecting evidence, 
details on how to use various evidence collection and analysis tools, and how 
to recover lost passwords or documents that are password protected. It also 
includes case studies on computer forensic tools in action, commonly used 
Unix/Linux commands, port number reference for various services and 
applications, computer forensic software tools commands synopsis, attack 
signatures and Cisco PIX firewall commands. The author provides an 
investigative framework, knowledge of how cyberspace really works and the 
tools to investigate cyber crime. 


Computer Forensics Comnate tenses 
by Warren G. Kruse II and Jay G. Heiser 
Addison- Wesley Publishing Company, September 2001 





The book offers a disciplined approach to implementing a comprehensive 
incident-response plan, with a focus on how to detect intruders, discover what 
damage they did and find out who they are. The bulk of the book details the 
technical skills and emphasis on providing a well-documented basis for a 
criminal investigation. The key to success is becoming a "white hat" hacker in 
order to combat the criminal "black hat" hackers. In this vein, the authors use 
a number of technical examples and encourage readers to develop expertise in 
Unix/Linux and Windows NT fundamentals. They also provide an overview 
of a number of third-party tools, many of which can be used for both tracking 
hackers and to probe the users’ own systems. Frequent examples are used to 
demonstrate how to extract evidence from a violated computer system. 
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Computer Forensics: Computer Crime Scene Investigation 


MPUTEI 
by John R. Vacca } ( WR NSIC ‘ 
Charles River Media, December 2001 al 


s =—om 
This book provides a comprehensive overview of computer forensics from its 
definition to crime scene investigation, seizure of data, determining the 
fingerprints of the crime and tracking down the criminal. The book focuses on 
solving the crime rather than information security. Case studies and vignettes 
of actual computer crimes are used. The enclosed CD __ includes 
demonstrations on the latest computer forensics and auditing software. 


Computer Forensics and Privacy 

(Artech House Computer Security Series) 
by Michael Caloyannides 

Artech House, September 2001 





The book delivers a comprehensive treatment on the threats to data 
confidentiality posed both by the emerging field of computer forensics and by 
connecting a computer to the Internet. It provides valuable critical 
information on identifying the specific areas where sensitive and potentially 
incriminating data is hiding in personal computers and explains how to go 
about removing this data; on install operating systems and application 
software that will help to minimize the possibility of security compromises; 
on ensuring computers that are connected to the Internet are protected from 
malicious mobile code and the new fashion of “adware/spyware”’, and on 
detecting whether advanced investigative tools, such as keystroke storing and 
relaying hardware and software, are in use in a computer. Other key topics 
include the pitfalls of encryption and how to use it effectively, the practical 
aspects of online anonymity and the current legal issues that pertain to the use 
of computers. Over 70 illustrations emphasize major points throughout the 
book. 


Cuckoo's Egg: Tracking a Spy Through the Maze of Computer 


Espionage 
by Clifford Stoll 


Pocket Books, October 2000 





A sentimental favorite, this book has inspired a whole category of books 
exploring the quest to capture computer criminals. Several years after its 
initial publication and after much imitation, the book remains a good read 
with an engaging story line and a critical outlook, as the author becomes a 
one-man security force trying to track down faceless criminals who have 
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invaded the university computer lab he stewards. What first appears as a 75- 
cent accounting error in a computer log is eventually revealed to be a ring of 
industrial espionage, primarily thanks to the author's persistence and 
intellectual tenacity. 


Cyber Crime: How to Protect Yourself from Computer sid 
Criminals 

by Laura E. Quarantiello ea 
Tiare Publications, December 1996 


The author offers a detailed look at what is happening in the world of 
computer crime, complete with insights into the minds of the perpetrators— 
from the mischievous to the malicious. Her stories include both the disturbing 
and the heartening, and the advice she has collected—from cyber-cops and 
cyber-criminals alike, is well worth heeding. Readers will learn about the 
three-step scale of vulnerability, cyber-cops, how they walk the digital beat 
and view intimate portraits of hackers and the tools they use. 


Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving 


Evidence of Computer Crimes 
by Albert J. Marcella Jr (editor) and Robert S. Greenfield 


Auerbach Publications, December 2001 


The book provides a comprehensive, highly usable and clearly organized 
resource to the issues, tools and control techniques needed to successfully 
investigate illegal activities perpetuated through the use of information 
technology. This book introduces the broad field of cyber forensics and 
presents the various tools and techniques designed to maintain control in an 
organization. It dwells on how to identify inappropriate uses of corporate IT, 
examine computing environments to identify and gather electronic evidence 
of wrongdoing, secure corporate systems from further misuse, identify 
individuals responsible for engaging in inappropriate acts, and protect and 
secure electronic evidence from intentional or accidental modification or 
destruction. Knowing how to identify, gather, document, and preserve 
evidence of electronic tampering and misuse makes reading this book and 
using the forensic audit procedures it discusses essential to protecting 
corporate assets. 


Defending Your Digital Assets Against Hackers, Crackers, 
Spies, and Thieves 

by Randall K. Nichols, Daniel J. Ryan, Julie J. C. H. Ryan and 
Arthur W. Jr. Coviello 

McGraw- Hill Professional Publishing, December 1999 





This is a guide to computer security. In place of specific how-to information, 
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readers learn about the motives of on-line attackers and the strategies they use 
to gain unauthorized access to systems and data, plus overarching concepts 
like public-key cryptography. It also deals about defensive and forensic 
strategies for preventing attacks and limiting their potency when they occur. 
The topics covered include computer and network security, risk management, 
security policy, cryptography, access control, authentication, biometrics, 
actions to be taken during an attack and case studies of hacking and 
information warfare. 


Digital Evidence and Computer Crime: Forensic Science, 
Computers, and the Internet 

by Eoghan Casey 

Academic Press, March 2000 





Many readers commented that this is one of the best computer forensic book 
describing the elements of digital crime. The book is clear and easy to 
understand. The author applies the methodology of forensic science to 
computer crime investigations. The book begins with an explanation of how 
the computer functions, how they can be used in crime and how the evidence 
created from these activities can be used for later analysis. The accompanying 
CD-ROM contains simulated cases to integrate the topics covered in the text. 
This book is used as a training text at the Atlanta ISSA. 


Disk Detective - Secrets You Must Know to Recover 
Information from a Computer 

by Norbert Zaenglein 

Paladin Press, September 1998 





This book is designed to bring the secrets of information recover to the 
average person. In it, the author shows private investigators, parents, teachers, 
business owners and law enforcement professionals what types of information 
can be recovered from IBM-compatible personal computers and how. He 
includes step-by-step instructions for recovering information from 
reformatted disks or overwritten files, retrieving deleted files, discovering 
passwords and retracing visited Internet files. 


Fighting Computer Crime: A New Framework for Protectin 
Information 

by Donn B. Parker 

John Wiley & Sons, August 1998 








A revolutionary new approach to computer security. In this book, the author 
first shows why current approaches to preventing computer crime are not 


af 


14. 


15. 


working, and then presents a new framework for understanding criminal 
threats, describing proven countermeasures and discussing actual crime cases. 
Boldly critiquing many prominent business and government figures for their 
failings, this book pulls no punches in its drive to improve information 
security. 


Forensic Computing: A Practitioner’s Guide 
(Practitioner Series) fei eet 
by Tony Sammes, Brian Jenkinson and A. J. Sammes Sue 
Springer Verlag, October 2000 





In this book, the authors show how information held in computer systems can 
be recovered and how it may be deliberately hidden or subverted for criminal 
purposes. The content is illustrated by plenty of case studies and worked 
examples and will help practitioners and readers gain a clear understanding of 
how to recover information from computer systems in such a way as to ensure 
that its integrity cannot be challenged and that it will be accepted as 
admissible evidence in court; the principles involved in password protection 
and data encryption; the evaluation procedures used in circumventing these 
safeguards; the particular legal issues associated with computer-generated 
evidence and how to ensure admissibility of such evidence. This is a text 
aimed at helping practitioners get to a level of technical understanding that 
would allow them to be able to use forensic computing analysis to search for, 
find and present any form of digital document as evidence in court. 


Handbook of Computer Crime Investigation: Forensic Tools & 
Technology 

by Eoghan Casey (editor) 

Academic Press, October 2001 





Following on the success of his introductory text, Digital Evidence and 
Computer Crime, the author brings together the specialized knowledge of a 
few top experts to create the first detailed guide for professionals who are 
already familiar with digital evidence. This book helps readers master the 
forensic analysis of computer systems with a three-part approach covering 
tools, technology and case studies. The Tools section provides the details on 
leading hardware and software programs—such as EnCase, Dragon and 
Forensix—with each chapter written by that product’s creator. The section 
ends with an objective comparison of the strengths and limitations of each 
tool The main Technology section provides the technical “how to” 
information for collecting and analyzing digital evidence in common 
situations, starting with computers, moving on to networks and culminating 
with embedded systems. The Case Examples section gives readers a sense of 
the technical, legal and practical challenges that arise in real computer 


38 


16. 


U7. 


18. 


investigations. 


High Technology Crime Investigator’s Handbook 
by Gerald L. Kovacich and William C. Boni 


Butterworth- Heinemann, September 1999 CHS 


HANDBOOR 





This book informs readers about the potential of high tech crimes and the 
resources that are available to combat them. The book covers the management 
of a high tech investigation unit. The authors provide an overview of the 
entire high-technology crime investigation process. The book not only deals 
with a myriad of important issues but also offers viable solutions and 
prevention programs. 


Incident Response - 
by Richard Forno, Kenneth R. Van Wyk and Rick Forno r- 


O’Reilly & Associates, July 2001 





This book introduces the modes of attack and the methods of response. The 
authors explain the organization and function of the professional, 
governmental and ad hoc groups that exist to respond to attacks and 
disseminate information about them. The topics covered include tools and 
strategies hackers use to break into systems illegally, and mechanisms and 
procedures for dealing with such attacks. Emphasis falls on the business 
considerations associated with incident preparedness and response. 


Incident Response: A Strategic Guide to Handling System and 
Network Security Breaches 

by Russell Shumway and E. Eugene Schultz 

New Riders Publishing, January 2002 








This book teaches readers what they need to know to not only set up an 
incident response effort, but also how to improve existing incident response 
efforts. The book provides a comprehensive approach to incident response, 
covering everything necessary to deal with all phases of incident response 
effectively, spanning from pre-incident conditions and considerations to the 
end of an incident. It also covers the technical considerations, what needs to 
be inspected in case they are corrupted, the types of logging data available in 
major operating systems and how to interpret it to obtain information about 
incidents, and how network attacks can be detected on the basis of 
information contained in packets. The major focus of this book is on 
managerial and procedural matters. It advances the notion that without 
effective management, incident response cannot succeed. 
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Incident Response: Investigating Computer Crime 
by Chris Prosise and Kevin Mandia 
McGraw- Hill Professional Publishing, June 2001 





Written by FBI insiders, this book reveals the computer forensics process and 
offers authoritative solutions designed to counteract and conquer hacker 
attacks. It teaches the readers how to determine when an attack has occurred 
or is underway and what to do about it. The authors favor a tools- and 
procedures-centric approach to the subject, thereby distinguishing this book 
from others that catalog particular attacks and methods for dealing with each 
one. Their approach is more generic and therefore better suited to dealing 
with newly emerging attack techniques. Anti-attack procedures are presented 
with the goal of identifying, apprehending and prosecuting attackers. The 
advice on carefully preserving volatile information, such as the list of 
processes active at the time of an attack, is easy to follow. The book is quick 
to endorse tools and the functionalities of which are described so as to inspire 
creative applications. Information on bad-guy behavior is top quality as well, 
giving readers knowledge of how to interpret logs and other observed 
phenomena. The authors do not offer a foolproof guide to catching crackers in 
the act, but they do offer a great “best practices” guide to active surveillance. 


Investigating Computer Crime 
(CRC Series in Practical Aspects of Criminal and Forensic 


Investigations) INVESTIGATING 
by Franklin Clark, Ken Diliberto (contributor) and Vernon J. — 
Geberth (editor) 

CRC Press, July 1996 pL 





This book presents practical methods for gathering electronic evidence and 
dealing with crimes involving computers. It follows a step-by-step approach 
to the investigation, seizure and evaluation of computer evidence. The 
material in the book has been used at the Federal Law Enforcement Training 
Center (FLETC), the Canadian Police College for teaching computer classes 
in white-collar crime and sex crime investigations and by US Army 
Intelligence in cooperation with NATO in Europe. It has also been used to 
teach a 1-week course in computer crime investigation to agents from the 
IRS, Secret Service, and state and local agencies. 


Investigating Computer Crime: A Primer for Security Managers INVESTIGATING 
by Ronald L. Mendell Saaa 


Charles C Thomas Pub Ltd, September 1998 
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This book provides a fundamental investigative foundation for law 
enforcement and security managers by moving through the basic phases of a 
computer crime investigation. Topics include: solvability factors; retail 
computer security; intelligence gathering; the investigative process; 
establishing the corpus delicti; preserving evidence; determining — the 
evidence, weak points and responsible parties; and deciding on a course of 
action. Ideas for discussion follow each chapter, providing material for in- 
depth exploration of the topics presented. The appendix contains a wealth of 
knowledge on information warfare, extremists and other threats from 
cyberspace. 


Investigating Computer-Related Crime: A Handbook For 


Corporate Investigators 
by Peter Stephenson 


CRC Press, September 1999 





Written by an experienced information security specialist, this book offers a 
step-by-step approach to understanding and investigating security problems, 
technical and legal information, and computer forensic techniques. It 
discusses the nature of cyber crime, its impact in the 21st century, its 
investigation and difficulties encountered by both public law enforcement 
officials and private investigators. It gives advice on collecting and preserving 
evidence, interrogating suspects, handling crime in progress and in involving 
authorities. 


I-Way Robbery: Crime on the Internet hw 
by William C. Boni, Gerald L. Kovacich and John P. Kenney R iaieg 


Butterworth- Heinemann, May 1999 
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This book offers a basic understanding of Internet crime and covers related 
Internet business, government, political and privacy issues. It describes 
techniques used to commit crimes, what can be done about them, what 
challenges the future may hold, discusses real world problems and solutions 
for both technical and non-technical professionals, and analyzes actual 
Internet crime cases. This book is for security professionals who need to get 
up to speed on the whole issue of crime on the Internet. This book explains 
the history of the Internet, the future of it and to which it can expose an 
organization. 
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Network Intrusion Detection: An Analysts' Handbook 
by Stephen Northcutt 


New Riders Publishing, August 1999 


This book explains what readers need to know to prevent unauthorized 
accesses of networked computers and minimize the damage intruders can do. 
It emphasizes proven techniques for recognizing attacks while they are 
underway. The author explains ways to spot suspicious behavior and deal 
with it, both automatically and manually. He explains SYN flooding and TCP 
hijacking with clarity and detail. Readers will get a good picture of the 
famous Kelvin Mitnick’s attack and how Tsutomu Shimomura's server 
reacted. He also explains how a system administrator would detect and defeat 
a Mitnick attack. Another case study shows how a bad guy with root 
privileges attacked a DNS server. 


Secret Software: Making the Most of Computer Resources for _— 


Data Protection, Information Recovery, Forensic Examination, 
; aes Niamilal 
Crime Investigation and More Niatluiita 


by Norbert Zaenglein 
Paladin Press, July 2000 





Norbert Zaenglein, author of the best-selling book Disk Detective, takes the 
software secrets that have been the exclusive domain of hackers and other 
computer-savvy surfers mainstream. In straightforward, nontechnical terms, 
the book covers an array of computer resources: electronic document 
shredders, a new electronic truth serum that rivals the polygraph, detection 
and identification of electronic intruders, professional forensics software and 
image enhancement software to assist in law enforcement investigations, file 
viewers that provide instant access to files that cannot be opened, and 
computer security programs. However, one reader ever described this book as 
basically an advertisement for software. 


Tangled Web: Tales of Digital Crime from the Shadows of 


Cyberspace 
by Richard Power 


Que, August 2000 





Between interviews with hackers and security experts, the author suggests 
that the world's networks are swarming with money-sucking leeches, most of 
which are never even noticed, and certainly not caught. He delves into the 
twists and turns of the criminal investigations and the motivation of cyber- 
crooks. The author also gives credit to law enforcement agencies and security 
consultants who have made genuine progress in preventing crime and 
apprehending criminals. 
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Transnational Criminal Organizations, Cybercrime, and Money 
Laundering: A Handbook for Law Enforcement Officers, 


Auditors, and Financial Investigator rata nesioal 
by James R. Richards 


CRC Press, December 1998 





Written by a law-enforcement professional, this book examines the workings 
of organized criminals and criminal groups that transcend national 
boundaries. Discussions include methods used by criminal groups to 
internationally launder money; law enforcement efforts to counteract such 
schemes; and new methods and tactics to counteract transnational money 
laundering. 
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APPENDIX C: LIST OF TOOLS FOR COMPUTER FORENSIC 
INVESTIGATION 


1. Computer Forensics Software 
from The Coroner's Toolkit 


www.cerias.purdue.edu/homes/carrier/forensics 


The Coroner's Toolkit (TCT) is a collection of tools oriented towards 
gathering or analyzing forensic data on a Unix system. 


TCTUTILs is a collection of utilities in the TCT. It lists directory inode 
contents to view file, device, and directory names. This allows deleted file 
names to be viewed and with some platforms, an entire deleted file can be 
easily recovered. It can obtain Modified, Accessed, and Created time data on 
deleted files. It can also display the contents of a given block in several 
formats and the details of an iode, including all the block numbers. 
TCTUTILs is tested on OpenBSD, Linux and Solaris. 


Autopsy Forensic Browser is an HTML based front-end interface to TCT 
and TCTUTILs. It allows an investigator to browse forensic images generated 
from a file, inode or block level abstraction. It also provides a convenient 
interface for searching for key words on an image. It browses a forensic 
image from the file/directory level using a File Manager style interface, 
searches the image at the block level for specified strings and displays the file 
contents in raw, ASCII, or hexdump. Finally, it generates autopsy reports on 
files, blocks or inodes with their MD5 hash values. 


Lazarus is another program in TCT. Its goal is to give unstructured data 
some form that can be viewed and manipulated by the examiner. It achieves 
this goal via a few simple heuristics. It begins by reading in a block of data 
from its input stream and roughly determining what sort of data—text or 
binary—the block is. This is done by examining the first ten percent of the 
bytes in the block—if they are mostly unprintable characters, then it is 
flagged as a binary block; otherwise, it is flagged as text data. If the block has 
been flagged as text, Lazarus checks the data against a set of regular 
expressions to attempt to determine what it is with finer detail. If the block is 
binary, the Unix file command is run over the chunk of data to classify the 
file based on its content. If the data block is not specifically recognized after 
the initial text/binary recognition but instead follows a recognized chunk of 
text/binary data (respectively), Lazarus assumes that it is a continuation of the 
previous data and will concatenate it to the previous data block. These 
discrete files are then individually written to disk. 
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Computer Incident Response Suite 
from New Technologies, Inc 


www.secure-data.com/suite1.html 


CRCMd5 is a CRC program that mathematically creates a unique signature 
for the contents of one, multiple or all files on a given storage device. Such 
signatures can be used to identify whether or not the contents of one or more 
computer files have changed. This forensics tool relies upon 128-bit accuracy 
and can easily be run from a floppy diskette to benchmark the files on a 
specific storage device. CRCMd5 can be used as the first step in the 
implementation of a configuration management policy. Such a policy and 
related system bench marking can help computer specialists isolate problems 
and deal with computer incidents after they occur. The program is also used 
to document that computer evidence has not been altered or modified during 
computer evidence processing. 


DiskScrub is a scrub utility used to eliminate data on the hard disk drive. The 
data storage areas are repeatedly overwritten in such a way that the original 
data cannot be recovered using data recovery or computer forensics software. 
This process involves writing data on the hard disk drive tracks from the first 
sector to the last sector on the subject hard disk drive. DiskScrub conforms to 
US DoD computer security standards, which require that the data overwrite 
process involve one pass with a character, a second overwrite pass using the 
compliment of the first character overwrite and a third pass with a random 
character. 


DiskSig is another CRC program that validates mirror image backup 
accuracy. This program is used to mathematically create a unique signature 
for the content of a computer hard disk drive. Such signatures can then be 
used to validate the accuracy of forensic bit stream image backups of 
computer hard disk drives. This program was primarily created for use with 
SafeBack software. 


FileList is a disk catalog tool used to evaluate computer use time lines. It 
documents information about files stored on one or more computer hard disk 
drives and other computer storage devices. This multi-purpose tool is 
designed for covert use, security reviews and forensic laboratory processing 
of computer evidence. It leaves no trace that it has been used and the output is 
compressed so that the output will usually fit on just one floppy diskette. The 
compressed output is automatically converted into adBASE III file format by 
a companion program FileCNVT. The dBASE III file format will import into 
most commercial spreadsheet and database applications. The converted 
output can also be viewed, sorted and analyzed through the use of timeline 
analysis tool ShowFile. FileList is compatible with DOS, Windows, Windows 
95/98 and a special version is available for Windows NT systems. The 
Windows NT version is sold separately. 
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Filter I is an intelligent fuzzy logic filter for use with ambient data. This 
enhanced forensic filter can quickly make sense in the analysis of Windows 
swap file data, file slack data and data associated with erased files. It relies 
upon pre-programmed artificial intelligence to identify fragments of word 
processing communications, fragments of E-mail communications, fragments 
of Internet chat room communications, fragments of Internet news group 
posts, encryption passwords, network passwords, network logons, database 
entries, credit card numbers, social security numbers and the first and last 
names of individuals that have been listed in communications involving the 
subject computer. This unique computer forensic tool can also be effectively 
used in computer security reviews as it quickly reveals security leakage and 
violations of corporate policy that might not be uncovered otherwise. The 
software does not rely upon key words entered by the computer specialist. It 
is a pattern recognition tool that recognizes patters of text, letter 
combinations, number patterns, potential passwords, potential network logons 
and the names of individuals. 


GetFree is an ambient data collection tool used to capture unallocated data. It 
is used to capture all of the unallocated file space on DOS and Windows 
95/98 systems. It can be used to validate the secure scrubbing of unallocated 
storage space with the M-Sweep ambient data deletion software. When used 
as an investigative tool, it eliminates the need to restore files on the hard disk 
drives. GetFree has also proven to be an ideal tool for use in computer 
security risk assessments because the software automatically captures the data 
associated with unallocated file space. This tool is ideal for the validation of 
the results when computer security scrubbers have been used. Thus, it aids in 
the process of security certifications of computer storage media. 


GetSlack is an ambient data collection tool used to capture file slack. It is an 
ideal computer forensics tool for use in investigations because memory 
dumps in file slack are the cause for security related concerns. Typically, 
network logons and passwords are found in file slack. It is also possible for 
passwords used in file encryption to be stored as memory dumps in file slack. 
From an investigative standpoint, file slack can contain leads and evidence in 
the form of fragments of word processing communications, Internet E-mail 
communications, Internet chat room communications, Internet news group 
communications and Internet browsing activity. It also acts as a good 
validation tool for use with computer security programs designed to eliminate 
file slack 


GetTime is used to document the system date and system time settings of the 
subject computer. File dates and times associated with allocated files and 
previously deleted files can be important in cases involving computer 
evidence. The reliability of the file dates and times are directly tied to the 
accuracy of the system settings for date and time on the subject computer. It 
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is thus important to document the accuracy of the system clock. 


Net Threat Analyzer is a forensic internet analysis software used to identify 
corporate internet account abuses. The software relies upon computer 
artificial intelligence logic to quickly identify patterns of computer data tied 
to Internet E-mail communications, Internet Browsing activity and the 
download of files from Internet sites. It is used to identify Internet activities 
that have been transparently stored in ambient data storage areas of computer 
hard disk drive, to evaluate Windows swap files and investigative leads in the 
form of file slack and unallocated data storage areas. 


M-Sweep Pro is an ambient data security scrubbing utility for use on 
notebook computers that contain sensitive computer data. It also has 
application both with desktop computers and in the safe exchange of data via 
floppy diskettes and Iomega Zip Disks. This software repeatedly overwrites 
data storage areas. It is compatible with DOS, Windows 95/98/NT/2000. It 
meets US government requirements for the secure deletion of computer data 
and it deals with threats associated with shadow data concepts. 


NTI-Doc is a documentation program for use in recording file dates, times 
and attributes. This program is used to essentially take an electronic snapshot 
of files and subdirectories that have previously been identified as having 
evidentiary value. The program automatically creates documentation that can 
be printed, viewed or pasted into investigative computer forensic reports. 


PTable is a utility used to review and analyze the partition tables assigned b 
a hard disk drive. This tool is essential concerning network forensics or when 
multiple operating systems are stored on one hard disk drive in multiple 
partitions. It can also used to identify hidden data potentially stored in the 
partition gap or unknown partitions. 


Seized is a program used to lock and secure evidence computers. It limits 
access to computers that have been seized as evidence. When the program is 
operated, it locks the computer system and displays a message on the screen 
advising the computer user that the computer contains evidence and it should 
not be operated without authorization. The program is to be installed on a 
DOS system diskette for placement in the floppy diskette drive on the 
computer system and is to be called from an AUTOEXEC.BAT file. Once the 
program has been called it, locks the computer and displays the warning 
message on the screen. 


ShowFL is a program used to analyze the output of file list. It is intended for 
use with the FileList software. It allows for easy sorting, analysis and viewing 
of database output. 


TextSearch Plus is a text search utility used to locate key strings of text and 
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graphic files. It quickly searches hard disk drives, zip disks and floppy 
diskettes for key words or specific patterns of text. It operates at either a 
logical or physical level at the option of the user. It is compatible with FAT 
12, FAT 16 and FAT 32 DOS based systems on DOS and Windows95/98. 


EnCase 
from Guidance Software, Inc. 
www.encase.com/html/forensic_software.html 


EnCase is the industry leading computer forensic software tool used by most 
all computer forensic examiners. Award winning and court tested, EnCase 
software allows law enforcement and IT professionals to conduct a powerful, 
yet completely non-invasive computer forensic investigation. EnCase features 
a graphical user interface that enables examiners to easily manage large 
volumes of computer evidence and view all relevant files, including "deleted" 
files, file slack and unallocated data. The integrated functionality of EnCase 
allows the examiner to perform all functions of the computer forensic 
investigation process, from the initial "previewing" of a target drive, the 
acquisition of the evidentiary images, the search and recovery of the data and 
the final reporting of findings, all within the same application. Further, 
EnCase methodology allows the examiner to perform these processes in a 
non-invasive manner, meaning not one byte of data is changed on the original 
evidence. The final reports and extracts generated by the built-in report 
feature documents the investigation results and integrity of the original data 
with a clear and concise chain of custody to ensure the authentication of the 
examined electronic evidence in a court of law. 


Extractor 
from WetStone Technologies, Inc 
www.wetstonetech.com/extract.htm 


Extractor is a Linux RedHat deleted file recovery tool. It can assist law 
enforcement, government and commercial organizations in retrieving 
maliciously or accidentally deleted files within the increasingly popular Linux 
operating system environment. The technology was initially invented to assist 
the New York State Police Forensic Investigation Center (FIC) with the 
extraction of deleted data from a Linux RedHat computer system taken as 
evidence on a case. The tool can extract the deleted file contents, the original 
file attributes, the time and date of deletion, last modification, access and 
creation date of the file, and the owner and group the file was a member of. 


Forensic Recovery of Evidence Device 

from Digital Intelligence, Inc. 

www.digitalintel.com/fred.htm 

The Forensic Recovery of Evidence Device (FRED) is a highly integrated 
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platform for the acquisition and analysis of computer-based evidence. FRED 
contains a suite of forensic software like DriveSpy, Image, PDWipe, 
PDBlock, PART 


DriveSpy is a forensic DOS shell. It is designed to emulate and extend the 
capabilities of DOS to meet forensic needs. Whenever appropriate DriveSpy 
will use familiar DOS commands to navigate the system under investigation. 
When beneficial, DriveSpy will extend the capabilities of the associated DOS 
commands, or add new commands as necessary. DriveSpy provides a familiar 
DOS-like prompt during system navigation. DriveSpy does not use drive 
letters in the prompt, but rather a Drive/Part combination to eliminate 
confusion in the event where the resident operating system has not assigned a 
drive letter to the drive being processed. 


Image is a standalone utility to generate physical images of floppy disks. The 
files generated by Image contain complete physical images of the diskette 
being processed. Image is capable of generating either highly compressed or 
flat images for forensic analysis. It utilizes internally implemented algorithms 
which are identical to those used in ZIP compatible archives. Non- 
compressed flat images may also be generated to facilitate examination of the 
image file itself. Image supports cyclic imaging and restoration to automate 
the processing of large numbers of diskettes. The program also provides the 
ability to attach descriptive information to each image file. Technical and 
descriptive information associated with eachfile may be displayed without 
having to actually restore the image. Image maintains an MD5 checksum of 
each image file it creates. This checksum compared during restoration to 
ensure that no degradation or corruption of the image file has occurred. Image 
will generate self-restoring image executables for distribution and usage 
without the utility itself. Image is very simple to use. Command line 
parameters are minimal and very intuitive. 


PDWipe (Physical Drive Wipe) is a standalone utility to wipe (zero) an entire 
physical hard drives. It provides the option of using a character other than 
Ox00 when wiping a drive. It also offers the ability to wipe the drive using a 
random pattern. It will optionally record Logical Sector Addresses, and CHS 
addresses for both Intl3 and Intl3x geometries at the beginning of sectors as 
they are wiped. The latter is useful when diagnosing architectural 
discrepancies when moving a drive between systems or validating imaging 
utilities. It can also verify that the contents of a specified number of randomly 
chosen sectors have been wiped. If a wipe-verification is requested, it will 
also automatically verify the first and last sector on the drive. Command line 
options are provided such that the program may run from within a batch file 
to wipe large numbers of hard drives prior to redistribution. 


PDBlock (Physical Drive Blocker) is a standalone utility designed to prevent 
unexpected writes to a physical disk drive. When PDBlock is executed on a 
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computer its job is to prevent all writes to the physical drives. 


PART is a Partition Manager, which lists summary information about all the 
partitions on a hard dsk, switch bootable partitions, and even hide and unhide 
DOS partitions. The PART utility adds 10x to the DOS partition type code to 
hide and unhide partitions. The PART utility may be used to switch between 
multiple bootable primary partitions. 


Forensic Utilities 
from Key Computer Service, Inc 
www.cftco.com/utilities.htm 


Wiper is a forensic disk wiping utility that will completely erase all 
information on a logical or physical drive by overwriting each and every byte 
with a character that is user selectable. The program is written entirely in 
assembly language and therefore is small and fast. It uses the BIOS disk 
services, even for the logical drives, thus will wipe a drive regardless of the 
operating system format. The user may select a one-pass wipe, using the 
default character of 00 or a character entered by the user, or a "secure", seven- 
pass wipe. The "secure" wipe uses alternating ones and zeros for six passes, 
then finishes the process with a pass using the user-selected character or zero, 
leaving a completely blank drive, except for the low level formatting 
information. The speed is about 3 to 4 minutes per GB per pass for a hard 
drive. 


ListDrv is an assembly language utility that examines a logical drive, or 
several logical drives on a physical drive, for FAT12, FAT16, or FAT32 
files. As they are found, they are saved to a comma-delimited and quotation 
mark-delimited file prepared for importation into a database program or a 
spreadsheet program such as Excel, for any desired manipulation. ListDrv 
will also list deleted files if desired. The listing includes the complete path, 
the long file name, if present, the alias or short file name, and the other date, 
time, size, and location information. If removable media is used to save the 
listing file, ListDrv will span multiple disks. 


ChkSum is an assembly language disk utility that calculates a 64-bit 
checksum for a physical or logical disk drive. 


FreeSecs is an assembly language disk utility that searches a specified logical 
drive for the unallocated or free space, and saves the information contained in 
unallocated space to one or more files. FreeSecs can additionally search any 
physical drive (regardless of the operating system) and save all the 
information contained on all sectors to one or more files. 


DiskDupe is an assembly language utility that makes exact forensic copies of 
floppy diskettes. 
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DataSnifferis an excellent parsing and carving utility that can “carves” data 
or files from files or unused space. DataSniffer has a number of separate 
functions such as a file extraction utility, a data parsing utility, a image 
compiler utility, a recycle bin history utility and a file signature generator 
utility. 


Forensic Utility Suite 
from LC Technology International, Inc 


www.lc-tech.com/forensicsuite.asp 


The Forensic Utility Suite allows forensic recovery of data on all Microsoft 
operating systems. The suite is a compilation of the RecoverNT, Recover98 
EXPRESS and FILERECOVERY for Windows. All of these utilities are 
unique in their own way providing multiple recovery options on IBM 
compatible Intel based computers with Windows 95/98/Me/NT/2000/XP. It is 
a total solution for all Microsoft file systems, allowing for fast, safe, and 
reliable file recovery with the ease of use of the Windows environment. The 
Forensic Suite comes with remote clients to do recovery across a network as 
well as a DOS client that allows user to recover through DOS on un-bootable 
machines. 


RecoverNT runs natively under the Windows 95/98/Me/NT/2000/XP 
operating system and supports multi-boot, striped, spanned and mirrored 
drives as well as all versions of RAID. RecoverNT can scan and recover files 
that have been destroyed. It is compatible with FAT12, 16, 32 and NTFS file 
systems and IDE/ATA, SCSI, RAID and removable media. 


Recover98 Express is a fast Undelete for Windows 95/98 with FAT File 
Systems. It allows the retrieval of files which have been deleted from a disk 
and recycle bin. It uses a unique Virtual File System that displays only 
deleted files and directories making finding files a simple task. The user can 
scan a drive and the Explorer-like interface displays the recoverable files. 


FileRecovery for Windows is a cross platform undelete for Windows 
95/98/Me/NT/2000/XP. It supports FAT12, FAT16, FAT32 and NTFS 
formats. The new Search and Filter options make recovering files fast and 
easy with full preservation of the directory structure. 


ForensiX 
from Fred Cohen & Associates 
www.all.net/ 


ForensiX is a software embedded in a system, using a wide variety of 
existing tools to aid in forensic analysis of digital evidence. This 
comprehensive digital forensic analysis package images and analyzes Mac, 
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DOS, Windows, Unix, and other disks and files, PCMCIA cards, IDE, SCSI, 
parallel, serial, IP traffic and other data sources. It searches for known site 
names and known digital fingerprints. It automatically produces chain-of- 
evidence information to assure the integrity of the imaged data, generate 
reproducible analytical results and documents the analysis process. 


Omniquad Detective 
from Tech Assist, Inc 
www.toolsthatwork.com/ttw-tools.shtml 


Byte Back is a professional data recovery and computer investigative utility 
with powerful low level cloning, imaging, and disk analysis tools. It clones 
and images most drive formats, repairs Partitions and Boot Records of 
FAT12, FAT16, FAT32 and NTFS volumes, offers individual file recovery 
for these environments, quickly overwrites every sector of a drive, contains a 
powerful sector editor for working with raw data and performs an in-depth 
read-only scan of a disk's surface. It supports drives up to 4 terabytes, 
archives images and reports to most network storage devices and perform safe 
recoveries on hard disk, Zip, Jaz and floppy. It has the ability to search for 
any character string on the entire drive, including slack areas, and gives on 
the-fly direct control over the system's Read Retries, Process Delay and 
Timeout. It is also integrated with MDS. 


Desktop Surveillance is a combination of a Network Intelligence 
Management and Productivity tool and a Desktop Content Security utility. It 
can identify every action performed by the user and record those actions in 
three different ways: virtual video, keystroke capture and smart activity 
logging. It monitor and records all Windows desktop activity, such as 
keystrokes, e-mail, chat, surfing, instant messaging and hacking with 
powerful access control and filter capabilities. The monitor can operates in a 
Prevention mode to make the users aware that their actions may be monitored 
or in the Stealth mode without the users’ knowledge. Desktop Surveillance 
can be remotely controlled via local network or the Internet, and in both cases 
it is possible to remotely observe activity on the local desktop in real-time. Its 
access control provides an ability to easily design, create and implement an 
organization-wide acceptable usage policy to launch Blocking, Limited 
Access or Lockdown functions. 


Detective is a software tool designed to allow for rapid investigation of the 
contents and activities of a Windows PC. It investigate the history of the PC 
to determine what the system was used for, such as which web sites were 
visited, what images were downloaded. Detective can be installed on the file 
server and operated in batch mode. This will simultaneously scan network 
workstations and save results on the network server for easy retrieval by the 
system administrator. It can also automatically perform the scan according to 
preset parameters, providing either a separate report for each workstation or 
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only one summary log to be appended each day. 


Ultimate Toolkit for the Forensics Specialist 
from AccessData Corporation 


www.accessdata.com/products.htm#Modules 


Password Recovery is a toolkit that handles all password recovery needs in 
one package, with a wide variety of individual password breaking modules. 


NT and Novell Password Replacement Utilities allow continued access to 
Windows NT and Novell file servers with replacement of administrator 
password. 


Distributed Network Attack (DNA) is a utility for recovering password- 
protected files. DNA decrypts password protected Microsoft Word and Excel, 
and Adobe Acrobat (PDF) documents, using an exhaustive key search. The 
DNA Manager is installed in a central location where machines running DNA 
Client can access it over the network. DNA Manager coordinates the attack, 
assigning small portions of the key search to machines distributed throughout 
the network. DNA Client will run in the background, only taking unused 
processor time. Users will see no difference in processor speed since DNA 
Client cannot override a higher priority program. The program uses the 
combined processing capabilities of all the attached clients to perform an 
exhaustive key search on Office 97/2000 encrypted documents to decrypt the 
file. 


Forensic Toolkit (FTK) is a_ handy utility for computer crimes 
investigators. FTK offers users a complete suite of technologies needed when 
performing forensic examinations of computer systems. Its full text indexing 
offers quick advanced searching capabilities. In addition, the FIK has 
incorporated Stellent's Outside In Viewer Technology to access over 255 
different file formats. The Known File Filter (KFF) feature can be used to 
automatically pull out benign files that are known not to contain any potential 
evidence and flags known problem files for the investigator to immediately 
examine. 


SecureClean provides reliable and comprehensive protection to 
electronically shred information by purging deleted files on the PC. It also 
cleans cache, cookie and history files from IE4 and IES in real time. 


CleanDrive offers reliable and comprehensive protection to electronically 
wipe the hard drive. CleanDrive includes two utilities: WipeDrv and 
CleanDrv. WipeDrv erases data from a physical hard drive, independent of 
the format, including the partition tables.CleanDrv is a_ secure drive 
reformatting utility that both reformats and erases drive data stored on 
FAT12, FAT16, and FAT32 formatted drives. It erases filenames, folder 
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names, file content, the file information tables and the logical drive partitions 
(drive letters). Both the CleanDrive utilities support any size hard drive and 
can overwrite drive data 1, 3,77, 12, or 35 times. 


Vision 
from Foundstone 
www.foundstone.com/products/ 


Vision is a forensic utility that maps all of a host's executables to 
corresponding ports, allowing the examiner to identify and _ investigate 
suspicious services. It allow the interrogation of suspected services to identify 
backdoors and Trojan applications. If a malicious service is identified, it can 
immediately kill the process. 
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APPENDIX D: SUMMARY OF REQUIREMENTS OF A 
COMPUTER FORENSIC INVESTIGATOR 


An investigator requires a capability to simultaneously preview a_ large 
number of systems on site to determine which ones contain relevant evidence. 
In most cases, an initial search at the physical level of the media may be 
sufficient to determine if a specific computer system or piece of media 
contains relevant information and should be imaged and preserved for further 
more detailed analysis. However, a search at the logical layer would be also 
required to look for relevant files that may be compressed, encrypted, 
encoded, or with reserved keywords that may be physically fragmented on 
disk. 


An investigator requires the capability to conduct a search at the physical 
level of the target media, ignoring operating system and file system logical 
structures, regardless of the logical content. This physical search of the media 
essentially searches all logical files, file slack, free or unallocated space, and 
all space on the media outside any logical data areas. 


The search tool must be able to reliably report the physical location on the 
media where responsive data were found. Even though a physical search is 
conducted, the search tool may be able to determine whether the keyword 
resides in a logical file on the media, in file slack, in free space, or in areas of 
the media outside the logical data area. The investigator must be able to 
discern the context within which a word or phrase resides on the media to 
determine if the context is relevant to the investigation. So the search tool 
must be capable of displaying some amount of data that resides on disk 
immediately prior to the keyword and some amount of data that resides on 
disk immediately after the keyword. 


An investigator requires the capability to conduct a thorough, read only 
search at the logical level of the target media. A search of the logical file 
space is likely to require less time than a search of the physical media, but 
likely will not search every sector of the media. If an investigator begins with 
a logical search to preview media, and that search produces no relevant 
results, the investigator may have to follow up with a search of the physical 
media to ensure a thorough search. 
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An investigator requires an ability to generate a listing of all logical files in a 
file system. This listing must include not only all the regular files in a file 
system, but also all files with special attributes, such as hidden files, read- 
only files, system files, executable files, directories, links to files, device files, 
etc. And the tool that creates this list must be able to write the list of files to 
appropriate media, whether that is a network accessible volume, a local hard 
drive not under investigation, or some appropriate removable media 
connected to the analysis machine. In addition, an investigator requires an 
ability to generate a listing of all the date and time stamps an operating 
system may store in relation to each file in the file system. Further, an 
investigator requires the ability to identify and generate a listing of all deleted 
files in the file system. Various operating systems handle deleting files in 
various ways, so the specific capability of a tool will be dependant on the file 
system the tool is examining, but to some degree, all file systems have a way 
of at least identifying that a file once existed in a certain space. 


An investigator requires an ability to search the contents of the regular files in 
a file system without changing either the data in the file or any date and time 
data recorded by the operating system about the file. Some search tools that 
operate at the logical level of the media do not quite meet this requirement. If 
a search tool allows the operating system to update date and time stamps of 
last accessed when the tool runs, then the investigator must take steps to 
preserve those date and time stamps prior to using the search tool. 


An investigator requires an ability to identify and process special files. 
Special files are in a format where their contents not in a readily readable, 
searchable format. These include encrypted, compressed or password 
protected files; steganographic carrier files; graphics files, video files and 
audio files; PDF format files; executable files or binary data files; files 
housing email archives and/or active email content; swap files or virtual 
memory files, and other such file formats that obscure their plain text content. 


An investigator requires the capability to recover pertinent deleted files or 
portions thereof that have not been overwritten. This would logically include 
a capability to identify and search all file slack, identify and search all free 
and unallocated space, identify relevant file headers in free space, identify 
deleted directories in free space, including directory entries for deleted files, 
and recover deleted directory entries as well as all pertinent deleted files that 
are not overwritten. 
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An investigator requires the capability to make forensically sound images of a 
wide variety of media. Once the preview process has identified that certain 
systems or media contain information relevant to the issues at hand, an 
investigator must have tools capable of making forensically sound images of 
those systems or media. The image must include a true, validated copy of 
every bit of every byte contained on the media, without regard to media 
contents. 


An investigator requires the capability to restore forensic images to suitable 
media. This requirement stems from a need to be able to run applications 
installed on drive that have been preserved as evidence. Most applications 
rely on installation processes that do more than just copy the application files 
to the media. So running the application in its installed environment may be 
necessary. This cannot currently be done from within the image files, so the 
image must be restored. 


An investigator requires the capability to perform a_ sector-by-sector 
comparison of two pieces of media to determine where they differ. To verify 
that one piece of media is an identical copy of another, investigators typically 
use media hashes of some type. But where two pieces of media are thought to 
be identical copies of each other but hash differently, it must be possible to 
compare sector-by-sector. The tool should also verify if any of the differences 
between the original and the copy are merely sectors filled with 0x00 and are 
accounted for by geometry differences only. 


An investigator requires the capability to thoroughly document _ their 
investigative activities and succinctly document the data recovered from a 
piece of media that are relevant to the allegations under investigation. If the 
software is self-documenting and certain reports are automatically generated 
for the user, based on the results of exercising the capabilities of the software, 
this could help make reporting results much simpler. 
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APPENDIX E: HANDOUTS FOR COURSE LECTURES 


The following pages, 1 — 110, are the handouts for the course lectures. 
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Computer Forensics 


What is Covered 


Fundamentals of computer forensics 


An overview of existing computer security 
mechanisms that could aid in the recovery of 
digital evidence for forensic analysis 


Techniques for computer evidence recovery 


Laboratory exercises on the use of common 
computer forensic tools 


Sections 


Cyber Crime & Incident Response 
Introduction to Computer Forensics 
Application of Forensic Science to Computers 
A Structure for Forensic Investigations 
Computer Forensic Procedures 

Forensics using MAC Times 


Course Objectives 


To provide students with an understanding of 
the fundamentals of computer forensics. 


To examine how information is stored in 
computer systems and how it may be 
deliberately hidden and subverted. 


To establish a sound theoretical foundation of 
the methods used in extracting information 
for forensic examination. 5 


Reference Materials 


Handbook of Computer Crime Investigation: 
Forensic Tools & Technology 
* Eoghan Casey (editor) 


Computer Forensics Column, 


Doctor Dobb's Journal 
¢ Dan Farmer and Wietse Venema 


Digital Evidence and Computer Crime: 
Forensic Science, Computers, and the Internet 
¢ Eoghan Casey 


The Process of Network Security: 


Design and Managing a Safe Network 
¢ Thomas Wadlow 


Sections 


Forensics on Windows 
Forensics on Unix 
Forensics on the Networks 


. Forensics on an Unknown Program 
. Forensics on Intrusion Activities 
. Forensics on Wireless Network 





Cyber Crime 


Section 1 


Crime involving computers and networks 


Cyber Crime & Types 
Incident Response 


— Computer as a Target 
— Computer as a Criminal Instrument 
— Computer Incidental to other Crimes 


— Crimes Associated with Prevalence of Computer 


Cyber Crime Cyber Crime 


Computer as a Target 


— Computer and Network Intrusion 
— Data Theft 


— Technical Vandalism 


¢ Computer Incidental to other Crimes 
— Drug Trafficking 
— Money Lending 
— Child Pornography 


Computer as a Criminal Instrument ¢ Crimes Associated with Prevalence of Computer 
— Credit Card Fraud — Copyright Violation 
— Telecommunications Fraud — Software Piracy 

— Component Theft 


Computer Crime Types of Computer Crimes 


* One of the types of Cyber Crime 


¢ Theft of computer services and information 
¢ Instances of Computer Crime are defined in the 


Unauthorized access to protected systems 
Software piracy 

Alterations of electronic information 
Crimes involving use of computers 
Transmission of malicious code 


US Computer 
Fraud and 
Abuse Act 





Computer Crime Prosecution Computer Crime Prosecution 


Locate the attack areas. ¢ Convince the court to issue an order for the 
appropriate law enforcement agency to act. 


Gather adequate proof. ; } 
* Collect more evidence, ensuring that the 


Collect evidence without breaking the law. integrity of the digital evidence is not 


Select a lawyer and court familiar with the commpropused: 


technicalities of computer crimes. ¢ Arrest and prosecute the suspect with the 
corroborating evidence. 


Incident Response Incident Response 


° Prerequisite ¢ More than often, the computer security 
team, the incident response team, and the 
Thorough understanding of the design, defenses and computer forensic team, are the same key 
monitoring systems in the network players wearing multiple hats. 

Aware of the system resources and tools 

Understand the response plan for reported/detected * Some of these roles may complement 
incidents each other, while others may interfere 
Familiar with the procedures and specific tasks, and the with one another. 

importance of urgency 


Familiar with operations of the organization 


Incident Response Incident Response 


¢ The tasks at hand usually compete for time b. The computer forensic team needs to collect 


and attention from these key players and preserve evidence to reconstruct the 
events, determine the extent of the damage, 
a. The incident response team needs to conduct a and prosecute the intruder. 
preliminary assessment of the compromise 4 : 
and tighten the security settings to minimize . The computer security team needs to review 


the damage or opportunities for repeated the computer security plan and policy to 
intrusions. prevent recurrences of such incidents. 





Incident Response System Discrepancies 


¢ Itis important to be able to put aside the less ¢ There are many minor discrepancies every 
important and distracting tasks that may day that are not caused by intruders. 
interfere with the incident response, forensic 
examination or security implementation— * Too many false alarms will dull the ability 
whichever is the priority. of the incident response and forensic team 


ai anus puiofity winy shanbedepenting onthe to response properly in a real crisis. 


type of intrusion and incident. All key 
players must understand what is the priority. 
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System Discrepancies React Quickly & Decisively 


¢ Discrepancies may not be noticed first by the * You are not playing chess where there are clear 
incident response team but by users who are rules and you can see the position of all pieces 
untrained in spotting computer security on the board. 
problems. 
¢ If you adopt a conservative plan, move and 
* The incident response team will generally then wait for countermove, you will be playing 


exhaust many other possibilities before seriously the game the way the attacker wants it played. 
entertaining the idea of an intruder break in. 


Priorities During an Attack Priorities During an Attack 


1. Confirm the attack 2. Attack Response 


Scramble the response team 

Determine the location of the attacker (internal 
or external) and means of entry, so that he can 
be cut off 

Decide on a state of lockdown—imonitor or halt 
network 

Verify integrity of logs and logging machines 


— Examine other information sources for 
confirmation to determine if the incident 
report is a false alarm 


Estimate extent of contamination and locate 
contaminated systems 





Priorities During an Attack 


3. Lockdown 


Verify integrity of essential infrastructure systems 
Deny attacker additional access to network or 


attempts to switch to another machine on the 
network 


Close the apparent means of entry 


If compromise of normal shutdown procedure is 
suspected, pull the power cord to halt machine 
abruptly. 


Priorities During an Attack 


5. Cleanup 


Focus on returning network and systems to 
full operational status 

Contaminated systems shall be taken offline 
and completely rebuilt, and watch for self- or 
re-infection 

Verify that attack has not been designed to 
erase backup tapes when mounted 


Investigation Checklist 


¢ Date and time of attack or detection 


¢ What files were compromised 
— New and hidden files 
— Unusual file or directory names and size 
— Normal-looking files out of their unusual places 


¢ bin: binary programs 

¢ lib: loaded libraries and static data files 

¢ dev: device drivers 

* etc: administrative programs and configuration files 


* man: manual pages 
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Priorities During an Attack 


4. Stabilization 


Ensure attacker has no further influence on 
the network 

Monitor system activities to determine 
secondary contamination or successfully 
installed malicious code 


Priorities During an Attack 


6. Restart and Monitor 


— Watch all subsequent activities from the 
attack source network or entries of attack 


Investigation Checklist 


Which machines were compromised 
— Unusual running processes 


How initial penetration occurred 
What holes have been added 
Anomalies in logs 


Anomalies in network 
— Unauthorized network listeners 





Managing the Incident Response Managing the Risk 


¢ Break up the investigation 


— Assign members to examine different areas 
concurrently 


¢ Before resuming normal business operation, 
be reasonably confident that it will not 


cause a major problem or re-attacks 
¢ Schedule regular team briefing 


; : : ¢ Difficult to be absolutely certain 
— Avoid constant interruption for status updates 


— Avoid uncoordinated duplication and poor correlation * Need to find acceptable level of risk and get 


* Schedule management brief back online 


— Provide facts and not too much unproven speculations 
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Section 2 


Introduction to 
Computer Forensics 


Requirements for Digital Detectives 


Technical awareness 
Knowing the technical implications of your actions 
Understand how data can be modified 

Clever, open-minded & devious 

Highly ethical 

Continuing education, knowledge of history 
Always use highly redundant data sources when 
drawing conclusions 
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Digital Evidence 


¢ Pros (cont) 


— Evidence may not be easily destroyed and can 
be recovered even when deleted 


* Cons 
— Seizing, preserving and analyzing digital 
evidence is the greatest forensic challenge 


— Privacy concerns complicate gathering of 
evidence 


Computer Forensics 


Applic ation of Technical Knowledge 

scientific principles 
and techniques to ees 
facilitate ae 
investigation and Computer 

Forensics 
prosecution of 

. Forensi ae 

computer crime. Stites Penne 


Analysis Understanding Criminal 
Approach Behavior and Motivation 


Digital Evidence 


Physical Evidence in Electromagnetic form 
Pros 


— An exact copy can be duplicated to avoid risk 
of damaging original evidence 


— Having the right tools can help to determine if 
the evidence has been modified or tampered 
with 


Use of Digital Evidence 


Digital evidence must be preserved in its 
original state 


Evidence must be proven to be authentic 
and unaltered 


A printout or duplicate of digital evidence is 
admissible in court unless the authenticity 
of the original evidence is in question 





US Federal Rules of Evidence 


¢ Records of regularly conducted activity are 
not hearsay, and thus admissible 


¢ Examples 
— Security logs 


— Audit logs 
— Backup 


Collecting Hardware 


e Advantages 


— When hardware contains a large amount of 
evidence 


— Requires little technical expertise 
— Simple and less open to criticism 


— The hardware can be examined later in a 
controlled environment 


Collecting All Information Media 


e Advantages 


— Information and evidence can be examined later 
in a controlled environment 


— Working with a duplicated copy avoids damage 
of original evidence 


— Avoids the risk and liabilities of collecting 
hardware 


Collecting Digital Evidence 


¢ What to collect? 
¢ Hardware 
¢ All Information Media 


¢ Selected Information Media 


¢ Relevant when hardware or information are 
¢ Fruit of the Crime 


¢ Instruments of the Crime 
¢ Evidence of the Crime 


Collecting Hardware 


¢ Disadvantages 
— Risk of damaging equipment, preventing it 
from operating properly again 


— Risk liability for unnecessary disruption of 
service 


— Develop a bad reputation for a heavy -handed 
approach to investigation 


Collecting All Information Media 


¢ Disadvantages 


— Requires equipment and technical expertise 


— Risk not being able to restart computer or 
access entire contents 


— Risk missing evidence 
— Time consuming 


— Methods are open to criticism 





; : : Whether to Turn the Computer 
Collecting Selected Information Media Off or Leave It Running? 


¢ Advantages : 
Y 7 : * Most law enforcement agencies recommend 
= Eallow dona taape: Ol expertise, turning the computer off immediately 
— Able to obtain help from System Administration 
— Practical, quick and inexpensive ¢ Philosophy based on the assumption that 


— Avoid risk and liabilities of collecting hardware and evidence trail may later be erased by the 
information media not specified in warrant intruder 


¢ Disadvantages 


— May miss or destroy evidence 


Whether to Turn the Computer 
Off or Leave It Running? 


¢ Advantages of turning the computer off 
immediately 


Whether to Turn the Computer 
off or Leave It Running? 


Disadvantages of turning the computer off 
immediately 


— To prevent evidence from being destroyed or — Terminate monitoring of the intruder and 
corrupted 


collection of further evidence 
— To contain the attack — Disruption of service 


— Tip off intruder that his attack has been detected 


— Admit to hacker that he has successfully 
compromised the system 


Securing Physical Evidence Reporting to Law Enforcement 


¢ Prevent unauthorized access to powered 


¢ Many organizations distrust law 
down systems 


enforcement when it comes to computer 


: : crime 
— Mark contaminated systems with label “Do not 


touch. Do not power up.” ¢ Many organizations have experienced or 


= ee F heard of seizure and damage of hardware 

Pee ee ene pn ges coer rite and the information media as a result of 
from the systems. : 3 

severe heavy-handed approach in their 


— Keep contaminated systems in a secure place. investigation 





Reporting to Law Enforcement 


¢ These organizations will choose not to 
involve law enforcement until they decide it 
is absolutely necessary 


— which is often too late 
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Application of Forensic 
Science to Computers 


What is Computer Forensics? 


Computer Forensics involves the 
identification, extraction, 
preservation and documentation of 
computer evidence stored in the 
form of magnetically encoded 
information. 


Collecting Contents from a Computer 


¢ The computer should be shut down 


¢ The computer should be booted using 
another operating system that bypass the 
existing one and does not change data on 
the hard drive 


Application of Forensic 
Science to Computers 


. Recognition 5. Classification 

. Preservation 6. Comparison 

. Collection 7. Individualization 
. Documentation 8. Reconstruction 


Computer Forensics - Why? 


e Many times computer evidence is created 
transparently by the computer’s operating 
system and without the knowledge of the 
computer operator. 


Such information may actually be hidden from 
view and thus forensic software tools and 
techniques are required to preserve, identify, 
extract and document this computer evidence. 
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Collecting Contents from a Computer 


¢ All related evidence should be taken out of 
RAM 


¢ A copy of the digital evidence from the hard 
drive should be made 
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Bitstream Copy 


¢ When collecting the contents of a computer 
memory, a bitstream copy is usually desired 


¢ A bitstream copy duplicates everything in a 
cluster, including anything that is in the 
slack space 


Evidence Collection and Preservation 


¢ Empirical Law of Digital Evidence 
Collection and Preservation: 


— If you only make one copy of digital evidence, 
that evidence will be damaged or completely 
lost 


¢ Always make multiple copies of the digital 
evidence 


Evidence Collection and Preservation 


¢ It is imperative that the digital evidence is 
saved onto a completely clean disk or write- 
once media like a CD-ROM 


— Copying digital evidence on used media may 
allow the old data in the slack space to pollute 
or contaminate the digital evidence 


File Copy 


¢ Unlike a bitstream copy, a regular file copy 
only duplicates the file and leaves the slack 
space behind 


¢ The slack space or allocated space may 
contain important evidence 


Evidence Collection and Preservation 


¢ Hackers have been known to interfere with 
the backup process to prevent it from 
working correctly 


— Make certain that the copying of evidence is 
successful and can be accessed on another 


computer 


Evidence Collection and Preservation 


¢ An alternative to seizing all of the hardware 
or digital evidence is to just take what is 
needed 


— This has the advantage of being easier, faster, 
less expensive and less risky than shutting 
down a computer, rebooting it and making full 
bitstream copies 
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Evidence on DOS/MAC/FAT32 
Do not power off computer, RAM evidence will 
be lost 


To get content out of RAM, all opened programs 
must be closed 


When prompted to save, do not write over 
existing content 


Shut down the computer... 


Evidence on NTFS 


¢ Security partitions complicate the collection of 
digital evidence 


¢ Use a boot disk to bypass the Win NT OS to 
access content of hard disk 


¢ Evidence can also be collected directly by 
another computer connected on cable and 
running the disk copy utilities 


Documenting Digital Evidence 


¢ To support that digital evidence is authentic, 
unaltered and in its original state 


¢ Since digital copies of evidence are identical, 
labeling helps to tell them apart from the 
original 

¢ Labeling is particularly crucial when there are 
several computers with identical components 
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Evidence on DOS/MAC/FAT32 


¢ Use a boot disk to bypass OS in the hard drive 
when booting up the computer 


Copy content of hard disk to clean tape, disk or 
CD-ROM (some I/O devices will not operate 
without loading specialized drivers, so have 
different backup devices available) 


Perform a bitstream copy 


Evidence on Unix 


Unix allows programs to run on background, 
hence it is necessary to explicitly list all 
processs using ps—aux 


Extract key evidence from RAM on unfamiliar 
or suspicious processes using gcore 


Booting a Unix machine off a boot disk is a 
complicated process, be careful to avoid 
destroying digital evidence 


Make a bitstream copy using dd 


Documenting Digital Evidence 


Labeling can support a chain of custody for 
the digital evidence, thus establishing 
complete control of the evidence at all times 


A complete list of all files, properties and 
message digests should be filed and 
properly documented 
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Message Digest 


¢ A message digest produces a statistically 
unique hash for a given input and is always 
the same for the same input 


¢ Examples: 
— MD 5 algorithm 


— Tripwire application 


Message Digest 


¢ Digital signature adds authenticity to 
the message digest 


Message Digest = Integrity 
Digital Signature = Authenticity 


Individualization of Evidence 


Richard Smith tracked down the creator of 
the Melissa virus based on the Ethernet 


address of the computer embedded in the 
Word97 document 


Message Digest 


¢ Message digests provide statistically 
uniqueness of a file, hence they are 
sometimes referred as digital fingerprint 


¢ A message digest of the digital evidence 
will produce a different hash if the digital 
evidence has been tampered with 


Individualization of Evidence 


¢ Comparing digital evidence with a control 


specimen can highlight unique aspects of the 
evidence 


¢ These individualizing characteristics of the digital 
evidence can be used to 
— link cases 
— generate suspects 


— associate a crime with a specific computer 


Classifications of Digital Evidence 


¢ By Contents 


— Using the contents of an email meassage to 


classify it and to determine which computer it 
came from 


— Swap files and slack space contain a random 
assortment fragments of digital data that can 
often be individualized 
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Classifications of Digital Evidence 


¢ By Function 


— Examining how a program functions 


— Classifying by types of malicious operations 
¢ Trojan 
¢ Virus 
« Worms 


— Identifying the computer that remotely controls 
or creates the program 


Forensic Computing 


Gathering and analyzing data in a 
manner as free from distortion or 
bias as possible to reconstruct data or 


what has happened in the past on a 
system. 


Reconstructing Damaged Evidence 


¢ Slack Space 


— A deleted file can often be easily recovered 


— A deleted file that is partially overwritten still 
leaves partial information in the slack space 


— More difficult for Unix since high level of 


activities quickly overwrite deleted 
information. 


Classifications of Digital Evidence 
¢ By Characteristics 


— Classifying the digital evidence by 
¢ File names 
* Message digests 
¢ Date stamps 


*etc 


Digital Evidence & Reconstruction 


e 2 aspects of reconstruction 


— Reconstructing digital evidence that has been 
damaged 


— Using digital evidence to reconstruct events 
surrounding the crime 


Reconstructing Damaged Evidence 
Shadow Data 


— Result of minor imprecision that naturally 
occurs when data is being written on a disk 


— Only some part of the data is over written 
leaving other portions untouched 


— Scanning probe microscopes and magnetic 
force microscope can recover these fragments 
to reconstruct the original evidence 
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Reconstructing Damaged Evidence 


¢ Binary Files 


— Evidence can also be retrieved from Swap files 
that are used to store temporary information 


¢ PAGEFILE.SYS in Win NT 


¢ Dedicated swap partitions in Unix 


Reconstructing A Crime 


3 aspects: 


Relational 
¢ Identifying the object, its source, and relations 
to other objects 


Functional 
¢ How the object was used 


¢ Temporal 


¢ The chronological sequence of the actions and 
events 


Digital Evidence Guidelines 


Do not violate any laws or give rise to liability 
when collecting digital evidence 


If these laws are violated, the evidence could 
be inadmissible 


Obtain a search warrant if necessary 


If the seizure interrupts a business 
unnecessarily, the investigators could be held 
personally responsible 
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Reconstructing A Crime 


¢ Using digital evidence to determine actions 
surrounding a criminal act 


¢ Establish what has happened, who caused 
the events, when, where, how and why 


Reconstructing A Crime 
¢ Avoid Pitfalls 
— Do not be too dependent on digital evidence. 
Look for supporting physical evidence when 
possible 
— Do not be influenced by the media, which tend 


to sensationalize and misreport facts, thereby 
changing the way we perceive facts. 


This slide is intentionally left blank 
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Section 4 


A Structure for 
Forensic 
Investigations 


Collection and Preservation 


¢ After computer equipment has been seized, 
the evidence it contains must be collected in 
a way that preserves its integrity. 


Employ an imaging utility to capture a 
forensically sound binary image of the 
evidence. 


Collection and Preservation 


Disk-level (as opposed to logical-level) 
hashing is not viable because even hard 
drives of the same manufacture, model and 
lot number may differ in size and location 
of bad sectors and maintenance sectors. 


Forensic Investigation Requirements 


¢ Evidence preservation 

¢ Lead formulation 

¢ Focused searches 

¢ Temporal analysis 
Evidence recovery 


Collection and Preservation 


¢ While processing an evidence disk, run a 
message digest program and record its 
output. 


Periodically, validate the entire logical file 
system or specific files to ensure they have 
not changed. 


Testing Initial Tools 


Trust in Forensic tools should not be 
explicitly based on the word of the vendor. 


Long-held beliefs that a certain tool will 
perform its function in a forensic manner 
must be tested. 
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Testing Initial Tools 


¢ Imaging utilities must be tested thoroughly 
or have its source code vetted to ensure the 
pristine nature of evidence. 


¢ Totest a tool, take hashes before and after 
imaging to determine if there are any 
discrepancies. 


Testing Initial Tools 
¢ James Holley conducted a thorough test of forensic 
imaging utilities. 


— Numerous imaging utilities worked fine against the IDE 
chain. 


— This discovery awakened many users and sparked 
investigations of other tools. 


— see Computer Forensic Tool Testing 
(www.cftt.nist.gov) 


Formulating Leads 


¢ The examiner must find an acceptable level of 
‘hits’ during a search. 


In some cases, false positive during the leads 
generation phase can be useful. 


However, in other situations this may be 
impractical, overly expensive, or detrimental to 
the investigation. 

— Client may have expense constraints 

— Short window of opportunity 

— Non effective case management. 


Testing Initial Tools 


¢ Another effective way to stress test tools is 
to manipulate the access modes of the 
controlling BIOS. 


Submit the tools to an array of size, bus and 
content testing, and from at least two 
operating systems. 


Formulating Leads 


When dealing with child pornography, this 
stage might involve analyzing all URLs and 


extracting all images on the suspect’s hard 
drive. 


When investigating an Intellectual Property 
theft, it may be sufficient to analyze 
communications and data transfers, and 
perform a key word search. 


Formulating Leads 


¢ Drawbacks of finding too little information. 


— Failure to find critical evidence can 


¢ Stop investigations 


¢ Destroy investigation confidence in the 
examiner 
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Formulating Leads 


¢ Having numerous lead-generation tools is 
vital. 


¢ Although buying more than | or 2 sets of 
tools can be expensive, it is a necessary 
aspect of computer forensics. 


Focused Search 


¢ Search the medium for specific information. 


¢ Focus and precisely pinpoint exactly the 
relevant details. 


* Conduct 
— Regular expression searches 
— Shell pattern searches 
— Hexadecimal searches 


Temporal Analysis 


¢ Temporal analysis is performed to ascertain 
date and time information of the evidence. 


¢ Identify deleted files, deleted subdirectories 
and when they are deleted. 


— Examine Windows Recycle Bin or Recycler 
entities in the respective registries. 


¢ Build an analytical timeline based upon 
information from the sources. 


Formulating Leads 


¢ Unix search and analysis commands are 
reasonably powerful. 


— awk is extremely powerful for performing 
analysis. 


— grep search can output binary data such as 
carriage returns and line feeds. This data can be 


piped to awkto redirect the requisite evidence 
into smaller database files. 


Focused Search 


¢ With NT being as ubiquitous as it currently 
is, support for Unicode is a requirement. 


¢ If a tool does not understand Unicode, it 
will miss vital evidence. 


Temporal Analysis 


¢ In Unix file systems, it is possible to 
determine file deletion time, assuming the 
inodes involved have not been overwritten. 


¢ Scattered data all rely upon one another and 
analysis of them as a whole. 


¢ Navigate through deleted subdirectories on 
FAT and VFAT using hexadecimal editors. 


114 
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Data/Evidence Recovery 


¢ Once the evidentiary material is located, it 
can be recovered from the medium. 


Some tools include the slack space when 
recovering a file, others stop at the 
appropriate byte offset, excluding the slack. 


Data/Evidence Recovery 


Certain Microsoft Office applications will 
refuse to open a document if they detect any 
information past a given point. 


Other applications in Office will read only 
up to the offset indicated by the file’s size 
attribute. 


Data/Evidence Recovery 


There are no tools that work against all file 
systems. 


Examiners should acquire file/data recovery 
tools capable of working against at least the 
top 5 most frequently used file systems 


— FAT, VFAT, NTFS, EXT2, UFS 


Data/Evidence Recovery 


¢ Recovering the contents of slack can be 


valuable if that slack contains additional 
evidentiary data, especially in Windows 
operating systems. 


If a file happens to require the original 
application that created it, slack at the end 
of a file can prevent the file from being 
viewed. 


Data/Evidence Recovery 


¢ If the application relies upon the file size to 


open the file, and 


— The forensic tool disturbs the file size by 
concatenating the slacks into an active file upon 
capture or recovery, 


¢ Trick the application into opening the file normally 
by modifying the file’ s size information. 


Data/Evidence Recovery 


¢ Data recovery/collection forensic tools 


should have error handling. 


¢ It should log any data recovery failures. 


¢ Ifit simply quits or skips the file, it is of 


little help. 
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Characterizing an Intrusion Characterizing an Intrusion 


Individualization ¢ Individualization and comparison can help 

— Determines unique factors presented in case. to link a Case. with other similar Pdses and 
uncover evidence that may be previously 
overlooked. 

Comparison . ; 

— Attempts to link the ‘fingerprint’ of the case Hash values for malicious files and user : 

with otherkenown' cases, names that are identical to those recorded in 

previous cases can be helpful in linking the 
case to the same intruder and his usual 
practices. 


Examiner’s Mindset Examiner’s Mindset 


¢ It is important for the examiner to remain If the examiner picks and chooses which 
objectives. action to perform as he goes along, instead 

of building the investigation on a solid 

framework, human nature may cause him to 


¢ If the examiner develops a set of required ‘cut to the chase’ by 


actions for a case type, regardless of the 
appearance of guilt, the evidence should — Skipping important steps 
stand out on its own and point to the truth. — Not look for certain types of evidence 


Examiner’s Mindset 


¢ Examiners must be analytical and detailed 
in nature; performing tasks in a meticulous 
manner. 
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¢ The training and background of an 
examiner will be a better ally than a tool. 





Section 5 


Computer Forensic 
Procedures 


Turning Off The Computer 


Information that may be lost from memory 


— Processes that were running 
— Network connections 
— Mounted file system 


Turning Off The Computer 


¢ An abrupt shutdown may 


— corrupt important data 


— damage hardware, preventing the system from 
rebooting 


— cause significant disruption and financial loss 


Computer Forensic Procedures 


Gain control of the situation 
— Take decisive actions 


Stop any active problems 
— Block the source of the problem 
— Limit the damage 


Map out damage area 


Prioritize areas for investigations 


Restore systems in order of operational priority 


Turning Off The Computer 


Shutting down a system before collecting 
volatile data can result in a loss of 
significant evidence when 


— Dealing with systems that have several 
gigabytes of random access memory 


— Systems have active network connections that 
are of critical importance to an investigation 


Turning Off The Computer 


¢ Retained information 


— Information on the disk in the RAM slack 


— Virtual memory in the form of swap and page 
files 
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Examining Retained Information 


¢ Disk editing programs and memory inspection 
tools can capture the entire contents of RAM 
and provide information about the processes 
that are running on asystem 

— Norton Diskedit 

— fport (www.foundstone.com) 

— handleex (www.sysinternals.com) 

— ps and pulist (Windows 2000 resource kit) 

— Coroner's Toolkit (TCT) automates the collection 


of volatile information from live computer system 
(www.porcupine.org/forensic) 
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Challenges of Investigating 
Criminal Activity 


The distributed nature of networks results in 
a distribution of the crime scene which can 
create practical and jurisdictional problems. 


Digital data is easily deleted or changed, 
hence it is necessary to collect and preserve 
it as quickly as possible. 


Challenges of Investigating 
Criminal Activity 


Necessary to associate an individual with 
specific activity on a computer or network. 


Even when offenders make no effort to 
conceal their identity, they can claim that 
they were not responsible. 


Physical vs Logical Examination 


¢ Viewing the file logically enables the 
examiner to determine the type of data 
stored (text file, executable file, 
bitmap...). 


Searching at the physical level may has 
potential pitfalls. If a file is fragmented, 
with portions in non-adjacent clusters, 


keyword searches may give inaccurate 
results. 


Challenges of Investigating 
Criminal Activity 


A wide range of technical expertise is 
required when networks are involved ina 
crime. Every network is different, 
combining different technologies in unique 
ways. 


A great volume of data maybe involved. 
Searching for useful evidence can be like 
looking for a needle in a haystack. 


Challenges of Investigating 
Criminal Activity 


Encryption can make it difficult or 
impossible for examiners to analyze 
evidence. 


Steganography, combines encryption and 
data hiding to create a file system that 
makes digital evidence recovery and 
reconstruction very difficult. 
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Computer Forensic: 
An Art or A Science? 


Because every investigation is different, it is 
difficult to create standard operating 
procedures to cover every aspect of in -depth 
forensic analysis of digital evidence. 


Therefore, it is important to have a 
methodical approach to organizing and 
analyzing the large amounts of data typical 
of computers and networks. 


Problems Gaining Access to Data 


¢ Difficulties posed by Encryption 


— Encryption applications can make records 
impossible to recover if they are used correctly 
and no data recovery procedures are in place. 


— If the user forgets the password or leaves the 
company, the producing party may not be able 


to produce a readable version of a protected 
file. 


Problems Gaining Access to Data 


¢ Difficulties posed by Obsolete or Missing 
Hardware and Software 


— As organizations upgrade, change systems and 
vendors, they leave a legacy of data potentially 
incompatible with their current hardware and 
software. 


Problems Gaining Access to Data 


Difficulties of finding where the data is 
stored 


— Records stored off-site raise difficulties because 
they are not in the producing party’s immediate 
custody. 


— The producing party may, therefore, not even 
know that the records exist. 


Problems Gaining Access to Data 


¢ Provision for Data Recovery 


— PGP can be configured to include Additional 
Decryption Key (ADK) that enables an 
authorized entity to decrypt and recover data. 


— Windows 2000’s Encrypted File System allows 
for data recovery agents. 


Problems Gaining Access to Data 


¢ Difficulties posed by Obsolete or Missing 
Hardware and Software 


— Old file formats become incompatible with the 
new applications, new hardware cannot read the 
old media. 


— Obsolete data may require substantial time and 
expense to retrieve and make readable. 





24 


Problems Gaining Access to Data 


¢ Difficulties posed by Obsolete or Missing 
Hardware and Software 


— Anticipating such a burden can mitigate its 
impact by 
¢ seeking orders or stipulations to apportion cost 


¢ lengthen the time to response 
¢ limit necessary effort on data discovery 


Preservation 


¢ Carry out preservation procedures 
immediately. 


¢ Prioritized preservation effort. 


¢ Exercise care to preserve records and avoid 
possible corruption. 


Preserve Media rather than Files 


Preserving the media also preserves residual 
or deleted data. 


The preserved media may contain other data 
that an examiner can use to authenticate, 
corroborate, dissect or discredit other files 
contained on the media. 


Consider the Cost of Failure 


¢ Investigation can be invasive, disruptive, 
and expensive. 


¢ Evidence corruption can occur 
unintentionally. 


¢ The normal use of computers and 
management of IT systems can result in the 
inadvertent destruction of evidence. 


Preserve Media rather than Files 


¢ Preserve the media, as opposed to 
preserving only the files that appear to be 
interesting at the time of initial review. 


¢ This will help to preserve not only the files 
of interest but also any files that may later 
turn out to be important as the case 
progresses. 


Examining the Bits 


¢ To reconstruct the past events with as 
little distortion or bias as possible. 


¢ There are a lot of places in the system 
that work together when a command 
is executed and these places can be of 
forensic interest. 
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Logging Information 


Operating systems maintain records of logins and 
logouts, and commands executed 


Individual subsystems maintain their own logging 


Mail delivery software maintains a record of 
delivery attempts 


Privileged commands, such as su (switch userid), 
are logged for every invocation regardless of its 
success or failure 
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Opportunities for Tampering 


¢ Library software 


— Execute trojan, open good file, backdoors. 


¢ Processes 
— On-the-fly memory patches. 


¢ Time Synchronization 


— NTP sync corrupted between network and 
logging devices. 


Hierarchy of Trust 


Hardware 

Controllers 

Kernel 

Device drivers 

Dynamic libraries 

Commands 

The shell & environment variables 


Opportunities for Tampering 


Media 
— Stash data in slack space, bad blocks. 


Firmware 
— CPU, BIOS, pal, disk, network controllers. 


Kernel 


— Loadable modules, on-the-fly memory patches. 


Applications 
— Rootkit trojan horse system utilities 


Layers of Information 


Raw bits 
— Media, RAM, wiring, buses 


CPU Controllers 


— Memory, disk, network, terminal, disk blocks, memory pages, network 
packets 


Kernel 

— Translates bits into files, processes, connections, sessions, authentication 
Library Software 

— Building blocks for applications 

Applications 

— Depend on both program and data files, names, files, ownership, time 

stamps 

Processes 

— Information processed multiple times 


Correlating Information 


¢ Each individual log file gives its own 
limited view of what happened on a system 


¢ How trustworthy is information from that 
log file when an intruder had an opportunity 
to tamper with the record to cover his tracks 


¢ Multiple sources of information must be 
correlated to reconstruct events 


Level of Trust >>> 


<<< Level of Information 
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Understanding Data Storage 


File systems typically store files as 
contiguous sequences of bytes, organized 
within a directory hierarchy 


Files and directories have attributes that are 
stored separately 


Deleting a file from the file system 
generally does not destroy its contents or 
attributes 


Logical Abstractions 


The trustworthiness of information is 
determined by its logical layering 


Only the physical level within the magnetic 
domains is real, however it is also the least 
accessible 


Abstractions of disk blocks, contiguous files 
and directory hierarchies are created by 
software which may have been tampered with 
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Logical Abstractions 


Stored information can be volatile and 
persistent at the same time 


The volatility of stored information is 
largely due to the abstractions that make the 
information meaningful 


Understanding Data Storage 


¢ Traces of older magnetic patterns still exist 
on the physical media 


Destroying or modifying data to hide 
evidence can leave significant marks 


Logical Abstractions 


The more levels of abstraction, the more 
opportunities for mistakes 


Without a file system, disk blocks are no 
longer grouped together into meaningful 
objects - reconstruction can be like solving 
a puzzle 


With more layers of abstraction, 
information becomes more ambiguous 10 


Order of Volatility 


Registers, peripheral memory, caches 
¢ Memory (kernel, physical) 

¢ Network state 

* Running processes 

¢ Disk 

¢ Floppies, backup media, etc. 
«CD-ROMs, printouts, etc. 
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Preventing Harm to the Business 


Taking hard drives from computers has a 
tendency to stop productivity. 


A quick solution would be to copy the hard 
drives so that the copy could be put in 
service and the original held for review. 


Evidentiary Images 


Bit for bit copying captures all the data on 
the copied media including hidden and 
residual information. Residual data permits 
the examiner to reconstruct deleted files. 


Preserving the media in bit for bit copies, as 
opposed to just copies of files, allows the 
flexibility to delve into facts and details the 
files themselves cannot disclose. 
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Preparing Evidentiary Images 


Imaging process should not alter the 
original evidence in any ways. 


Ensure that none of the imaging processes 
write any data to the original medium. 


The image or duplicate should recreate the 
original exactly. 


Evidentiary Images 


To obtain copies of the media for evidence, 
forensic analysis, or data recovery purposes, 
the producing party should make either an 
exact bit for bit copy of each medium. 


Theses evidentiary images (or duplicates) 
are to be used in the subsequent 
examinations or data recovery efforts 
instead of the original media. 


Evidentiary Images 


When the media can be write-protected, 
imaging may sometimes be dispensed with. 


The physical write protection of such media 
must permit the examiner to review, analyze 
or exact data without altering the media in 
any way. 


Preparing Evidentiary Images 


Note the serial number and other unique 
identification information of the original 
media, as well as the computer from which 
it came. 


This information permits link to its original 
medium and computer for authentication 
and identification purposes. 
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Preparing Evidentiary Images 


¢ The difference between the computer 
system’ s time and date and the actual time 
and data is important to either corroborate 
or discount the dates and times of files on 
that computer. 


¢ Record the examiners name and the date 


the image was made. 


Imaging Procedure 


Create an Evidence Acquisition Boot Disk 
(EABD) for the imaging platform. 


Remove the hard drive(s) from the source 
computer. 


Fill out an evidence tag with the serial 
number and other identification 
information. 


Imaging Procedure 


Attach hard drive to be imaged (“Source 
Drive’) to the imaging platform. 


Load the imaging software. 


. When specifying the source and target 
drive, note that fdisknumbers physical 
drives starting at 1. The imaging software 
and other partition utilities may start the 
number sequence at 0. 


Preparing Evidentiary Images 


¢ The examiner’s name and the date the 


image was made, serves as the link in the 
chain of custody for the evidentiary 
duplicate or image files. 


¢ Maintaining a chain of custody allows the 


examiner to later testify as to the veracity or 
authenticity of particular records. 


Imaging Procedure 


Label a forensically clean hard drive with 
an evidence label and attach the drive to 
the computer that will be used to prepare 
the evidentiary images. 


Boot the imaging platform with an EABD. 
Partition and format the hard drive. This is 
the drive that will receive the evidence 
files (“Target Drive’) 


Imaging Procedure 


Monitoring the acquisition. Someone 
should attend the imaging to ensure that 
the acquisition completes properly. 


. Boot the original computer with a 
bootable floppy. Enter the commands for 
date and time and note on the evidence tag 
the data and time represented by the 
computer and the actual data and time. 
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Processing Electronic Records Filtering Process 


¢ Three goals in filtering ¢ The filtering procedure may require a 
workspace twice as large as the volume of 


— To facilitate the attorney’s review of the data to be processed. 


records by making the records readable 


— To reduce the data that the attorney’s must 


: Create work directories to contain 
review 


— \prep Files requiring further processing 
— To gather information about the records that 


: : . —\review Data ready to be indexed for 
can be used later to identify and organize the : 
records. attorney review 


Filtering Process Data Filtering Steps 


¢ Other subdirectories . Access evidentiary image files and restore 
— \special Recovered, encrypted & email source files any backup data. 
— \pslack Extracted slack 
—\pcluster — Extracted unassigned clusters . Generate file lists containing hash values. 
— \rfiles Unprocessed files after reduction 
— \rslack Reduced slack . Recover deleted data. 


—\rcluster Reduced unassigned cluster ; 
« Caphuened’ sPrnceeced files . Recover slack and unassigned clusters. 


Identify and remove known files. 


Access or Restore Images or 


Data Filtering Steps Backup Tapes 


Remove other unnecessary file types. 


¢ Using Forensic Tools 


Remove duplicates. — Encase (www.encase.com) 


— FTK (www.accessdata.com) 


Identify and decrypt encrypted files. 


— Copy the image files to the workspace rather 
than using the original evidentiary images 


Extract e-mail and attachments. throughout the filtering process. 


10. Index text data. 





¢ In contrast with the relative ease of restoring 
hard drives, restoring backup tapes can involve 


¢ The most difficult work involved in restoring 
backup tapes may be configuring a system that 


¢ Data backed up off network servers often will 
not restore properly unless the data are restored 
to a system configured substantially the same as 


SA Gr RGN 


Access or Restore Images or 
Backup Tapes 


— Backup software should contain error-checking 


features to verify the quality of the restored 
data. 


— The restored files will not have the evidentiary 


fragility of files restored from evidentiary 


Access or Restore Images or 
Backup Tapes 


¢ Using Backup Tools 
— Safeback (www.secure-data.com) 
— Restore hard drives from evidentiary images. 


images, since the backup and restore operations 


will not have preserved residual data. 


Access or Restore Images or 
Backup Tapes 


a substantial effort. 


can properly receive the data. 


the original system. 


File List Information 


Long and short file names 

Extensions 

Last written or modified dates and times 
Created dates and times 

Last access dates and times 

Logical sizes 

File paths 

Hash value 


Generate File Lists 
and Hash Values 


¢ Obtain a list of all the files and their 
respective hash values. 


Since the data and time stamps of the files 
will change during the filtering process, the 
preliminary file information and hash values 
will serve as a reference for later checking 
of the authenticity or veracity of the files. 


Capture this information before any other 
activity might alter it! 
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Generate File Lists 
and Hash Values 


Generate file lists with software tools. 


Before exporting file list, populate the file 
property columns with data regarding hash 
values, file signatures, hash sets, known file 
values and other significant information 
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Generate File Lists 
and Hash Values 


¢ Processing of hard drive should be done in 


an environment that affords a level of write- 


protection to the data. 
However, data restored from backup tapes 


could be processed in Windows, since there 
is no concern about losing residual data such 


as slack or unassigned clusters. 
Software Tools: 


— hash and compare (www.maresware.com ) 
— rspsort (www.simtel.net ) 


Recover Deleted Files 


¢ Perform data recovery work on FAT file 
system in DOS. 
— Lost & Found (www.powerquest.com ) 

¢ Recovery of data from other file systems 
will typically require the use of tools 
specific to those other operating system. 

¢ To recover data from an NTFS volume, 
need to work within Window NT/2000 


— RecoverNT (www.lIc-tech.com) 


Recover Slack and 
Unassigned Clusters 


¢ Use copy or export commands in Encase or 
FTK. 


¢ getslack and getfree (www.secure- 
data.com) extract slack and unassigned 
clusters from both FAT and NTFS. 


¢ filter_i (www.secure-data.com), equivalent 
to the Unix strings utility, removes non-text 
data from the extracted material 


Recover Deleted Files 


Copy or export deleted files to the \special 

subdirectory 

— Use copy or export commands in Encase or 
FTK. 


— Preserve the directory structure in which the 
deleted files are found to avoid overwriting any 
recovered files. 


Recover Slack and 
Unassigned Clusters 


The purpose of extracting slack and 
unassigned clusters is to capture residual 
text data on the media for review 


2 steps: 


— Extract the slack and unassigned clusters to the 
\pslack and \pclusters subdirectories 


— Remove non-text characters from these files 
and write reduced data to corresponding 
subdirectories in \review 


Remove Known Files 


A large amount of data on the hard drive 
and on backup tapes consists of files, such 
as Operating system and application files, 
which are not relevant to forensic 
investigations. 


Identifies and excludes ‘known’ files by 
their hash values. 
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Remove Known Files 


¢ Encase or FTK have sorting and filtering 
features to isolate and exclude known files. 


¢ Identify matching hash values using 
compare (www.maresware.com) 


¢ Pipe resulting matches tormd (with 
overwriting) or 7m (www.maresware.com) 
to remove known files 


Remove Other Unnecessary Files 


Verify file extensions versus file types 


Moves mismatched files to\special 
subdirectory for separate processing 


Removes remaining files of known types 


diskcat (www.maresware.com) identifies file 
extensions against mismatched file types 


rmd or rm to remove irrelevant files 


Identify and Decrypt 
Encrypted Files 
Identify encrypted files in the remaining data 
and attempt to decrypt them if possible. 


Identify encrypted data by scanning files for 
specific character strings in file headers or 
footers. 


— FTK (www.accessdata.com) 


— Password Recovery Toolkit (www.accessdata.com) 


— ispgp (www.maresware.com) identifies PGP 
encryption 


Remove Other Unnecessary Files 


¢ Further reduce the data set by removing 
files based on file types. 


File extensions do not necessarily 
correspond to the file type. 


— Before removing any files, first run a test to 
identify any files whose file type does not 
match its extension. 


— Compare the file’s internal header information 
with its extension and identifies any 
mismatches. a8 


Remove Duplicates 


¢ Deduping 


— Remove duplicates of all data that have not 
changed between backup sessions. 


— Identify duplicates by matching names, path 
and hash values 


Identify and Decrypt 
Encrypted Files 


¢ Moves encrypted files to \special subdirectory 


for decryption 


¢ Attempt to obtain the password from the person 


who encrypted the file 


¢ Otherwise, recover the password for the 


encrypted file with password recovery software 


— Password Recovery Kit (www.data-secure.com ) 
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Extract E-mail 


¢ Some e-mail applications store message and 
attachments in proprietary formats that 
cannot be reviewed with text -searching 
software. Need to rely on appropriate email 
application. 


Extracted e-mail messages should be 
converted to a text format that can be 
indexed for data reduction, de-duping or 
decryption as necessary 


Indexing 


Search through the files in the /review 
directory by running a series of string and 
index-based searches. 


Review the indexing log to determine if any 
files could not be indexed and why. 


Bates Numbering 


¢ Number the records for electronic management. 


¢ This provides a more accurate way to refer to 
files. 


¢ Sequential numbering schemes are traditionally 
used by attorneys to label paper documents for 
identification. 


Indexing 


After data reduction, the \review directory now 
consists of 


— \rfiles All the files not excluded by data reduction 


— \rslack All data from slack 

—\rclusters Unassigned clusters 

—\converted Recovered deleted files, decrypted files, 
extracted e-mails. 


Indexing 


¢ For an index-based search 
— Index the entire review directory using a search 
application 
¢ dtSearch (www.dtsearch.com) 
— Indexing will take time since search will read 
each file and build a database of all terms and 


character combinations found in each of the 
files. 


Bates Numbering 


bates_no (www.maresware.com) generates a 
unique serial number for each file 


After Bates numbering, an examiner can refer 
to the files produced during analysis by their 
unique Bates number rather than file name. 


Once files have been Bates numbered, 
generate a new file list of all the respetive 
files with their hash values. 
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Forensics using 
MAC Times 


MAC Times 


¢ MAC times keep track of the final time a 
file is disturbed 


Reading a file changes the atime attribute 


— When a program runs, atime of the executable 
file changes 


— Many systems can disable atime updates 


mtimes are changed by modifying a file's 
contents 


NTFS MAC Times 


When a file is copied, the mtime of the target 
file is the same as the original file 


The atime and ctime are the times when the 
new file is created 


This can make a file appear as though it was 
created after it was modified 


The atime in NTFS not always updated 
when a file is accessed 


MAC Times 


atime _ time of last access 

mtime time of last modification 
ctime time of last status change 
dtime __ time of deletion (Linux only) 


¢ MAC times are volatile 
¢ If present & unaltered, MAC times are invaluable 
¢ Examine MAC times directly using /stat) 
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MAC Times 


* ctime keeps track of when meta 
information about the file has changed 


¢ dtime keeps track of when the file is 
deleted 


— In systems without dtime, ctime may be used 
as an approximation of when the file was 
deleted 


Storing File Attributes 


¢ Unix system directories store only the 
names of the files and their corresponding 
inode numbers. The rest of the information 
about the file are kept in the actual inode of 
a file. 


NTFS relies on a Master File Table (MFT) 
to store information about the files in an 
NTFS volume. 
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Reading MAC Times Reading MAC Times 


. Permissions File Name See note on next slide 
Login from a remote host to a target system a. -TWSt-xE-x Jusr/bin/login 1 
inetd ls -rwsr-XI-X /usr/etc/in.telnetd 


? -rwsr-xr- /usr/etcAnetd 
— listens to the telnet port, * pe ee 


a. -TW-r-1-- /etc/group 
— forks off the telnet daemon ae epspeps Jetchnotd 
telnetd a. -TW-T-E-- /etchtytad 


1 

1 

2 

2 

2 

— executes the login program © -Tw-rwoIw- /etchutmp 3 
3 

3 

2 

1 


lo in -TW-r-1-- /var/adm /lastlog 
§ . -TWw-r-i-- /var/adm Avtmp 
— authenticates the user aehaes Jetefpasswd 


— updates the login accounting files P ERrretne Woaicen 
— becomes the shell 


Notes on MAC Times Concealed Login 


Permissions Owner Group File Name 

Irwxrwxrwx root staff /ust/bin/cc 

-f--f--1-- root staff /ust/include/lastlog h 

- - root staff /ust/include/pwd.h 
root staff /ust/include/stdio.h 
root staff /ust/include/sys/fentlcom.h 
root staff /ust/include/sys/file.h 
root staff /usr/include/sys/signal.h 
root staff /ust/include/sys/stat.h 
root staff Just/include/sys/ stdtypes h 
root staff /ust/include/sys/ sysmacros.h 
root staff /usr/include/sys/types.h 
root staff /ust/include/utmp.h 

- - root staff /ust/include/vm/faultcode. h 

“tWXI-XI-X root staff /ust/lib/epp 

-1W-I--1-- bin bin /ust/lib/lang_info 

oI-XI-XI-X root staff /ust/bin/as 

o1-XI-XI-X root staff /ust/lib/ecom, 

Irwxrwxrwx root staff ib 

-TWXI-XI-X root staff /ust/bin/Id 

-TWXI-XI-X bin bin /ust/lib/compile 

-1W-1--1-- root staff /ust/lib/crt0.0 

ot-X1--r-- root staff Just/lib/libe.sa.1.8 


1. Programs executed 
— login, in.telnetd, inetd, csh 
* atime changed 
2. Configuration and authentication files 
used 
— group, motd, ttytab, passwd 
* atime changed 
3. System accounting files modified 
— utmp, lastlog, wtmp 


* mtime and ctime changed 


a 


Concealed Login MAC Times are Universal 


The cc, cpp,as, and ld commands were executed ¢ MAC times can be obtained from a running 
Several header files (lastlog.h and utmp -h) were machine or a dead disk 

accessed 

A C program was compiled 


; i ¢ The machine reading the MAC times does 
System doesn't show any login activity 


not have to be of the same operating system 


>> Someone probably broke into the system and type asthe system thal geueraied Wiedata 


compiled a stealth program to remove the 
presence from the system accounting files 
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MAC Times are Delicate 


¢ Collect MAC times as quickly as possible before 
gathering any other forensic data that might 
destroy them 


¢ Collecting MAC times must be done cautiously 


— Istat() directories before opening them and examining 
their contents 


— Opening a directory for reading changes the atime 
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MAC Times are Invaluable 


¢ MAC times can provide invaluable information 
about what programs and files are used on 
operating system startup or shutdown 


¢ Windowing systems in firewalls and other 
security -sensitive systems add tremendously to the 
system complexity 
— Too many file accesses, can cloud MAC times analysis 


— Operating systems that cannot operate without a 
windowing system have an inherent security 
disadvantage 


MAC Times of a Deleted File 


° UNIX 
— Ownership and MAC times are preserved 


¢ NTFS 


— Does not remove all the file information, it 
sets a flag in the file record of the MFT 
telling the file system that the file is not in 
use anymore 


MAC Times are Delicate 


¢ Message digest must be done after the /stat) 
— Reading a file changes the atime of that file 


¢ Work from a duplicate 
— Mount the media as read-only 


— Alternatively, turn off atime updates 


MAC Times of a Deleted File 


¢ When a file is removed, the ctime is set to 
the time when the last link to the file has 
been destroyed, which is most often at the 
time it was deleted 


¢ The inode is also deleted from the 


directory entry, making recovery difficult, 
but not impossible 


Problems with MAC Times 


¢ MAC times only report on the last time a 
file has been disturbed 


¢ No way of reporting on the historical 
activity of a file or directory 


¢ They are less useful on busy multi-user 
systems with lots of activity 
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MAC Times Manipulation 


¢ UNIX systems can use touch command to 
change atime and mtime. 


¢ NTFS and UNIX filesystems can also use 
utime() system call to change atime and 
mtime 


¢ NT provides SetFileTime() system call to 
change all three times at once 


‘This slide is intentionally left blank 


‘This slide is intentionally left blank 


MAC Times Manipulation 


¢ An intruder can reset the system clock and 
then change the ctime 


— Changing the system clock can cause other 
warning flags 


¢ Alternately, the intruder can write directly 
to the inode. 


This slide is intentionally left blank 


This slide is intentionally left blank 
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Forensics on Windows 
Section 7 
¢ FAT file system 
5 — Comprised of file allocation table and folders. 
Forensics on — Uses 8-bit ASCII/ANSI character set. 
Windows 
¢ NT file system 


— Uses several metadata files to keep track of 
files and folders on a given volume. 


— Represents all character strings in 16-bit 
Unicode. 


Master File Table Master File Table 


¢ MFT is asystem file created during the ¢ MFT records store attributes of files and 
formatting of an NTFS volume. folder, including the MAC timestamps. 


* There is an MFT record for every file, * MFT records also contain a flag that 
including an entry for itself. indicates its allocation status. 


. — If zero, the record is marked for deletion, or is 
¢ Metadata files are located in the root folder unallocated. 


with names beginning with ‘$’. 


Windows 2000 Metadata Files Windows 2000 Metadata Files 


Record File Name Description Record File Name Description 
0 $MFT Master File Table (MFT) $ATTTDEF Table of attribute definitions 


1 $MFTMIRR_ Copy of the first 16 records of : Root folder 
the MFT 


2 $LOGFILE List of file system transactions SEIEMAE Bitinap representanon/o: used 


and unused clusters on volume 
3 $VOLUME Information about the volume, $BOOT Boot record with bootstrap 
including NTFS version, volume loader code if the volume is 
names, and volume creation bootable 
time. 





Windows 2000 Metadata Files 


Record File Name Description 
8 $BADCLUS List of the bad clusters in the 
volume 
$SECURE Stores security descriptors 
(W2K only) 


$UPCASE Conversion table for converting 
lowercase characters to matching 
uppercase Unicode characters 
$EXTEND _ Enables file system extensions 
such as volume quotas 
(W2K only) 


Files and Folders 


¢ When a folder contains more index entries 
than it can fit in its MFT record 


— Additional data are stored on disk in index 
buffers 


— Locations of these index buffers are stored in 
the $INDEX_ALLOCATION attribute 


MFT Record 


¢ Fora file 
— Header 
— $FILENAME 
— $STANDARD_INFORMATION 
—$DATA 
— Attribute List 


¢ Resident attributes are contained within the MFT 
record. 


¢ Non-resident attributes reside in clusters on the 
volume. 


Files and Folders 


FAT system 


— Filenames are on stored in 32 byte structure. 


NTFS 


— Filenames (index entries or index allocation) 
are variable in size to accommodate variable 
lengths. 


MFT Record 


¢ Fora folder 
— Header, name, etc 
— $INDEX_ROOT 
— Index entries 
— $INDEX_ALLOCATION 


Bitmap File 


¢ The $BITMAP file keeps track of cluster 
usage. 


— If a cluster is used, the bit in the $BITMAP file 
is changed to a one. 


— When a cluster is available, the bit is zero. 
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Bitmap File 


Bitmap File 
¢ To allocate a file ¢ When a file is deleted 
— The $BITMAP file must be modified to reflect — Its cluster references in the $BITMAP file are 
that the used clusters are allocated changed to zero 
— An allocated MFT record must be created for — The MFT record for that file is marked for 
the file 


: . deletion, its index entry is deleted. The entry 

~ An index entry must be created for the file below it are moved up, thereby overwriting the 
name in the parent folder’s MFT record or 
? deleted entry 
index buffers 

— Cluster extent entries must be created in the 


— The file is deleted but the data are still on the 
file’s MFT record if the file is non-resident. 


hard disk, its MFT record still exists with its 
deletion bit set to zero 


Bitmap File Folder Entries for FAT 


¢ Recovering a deleted file 


— If the MFT record can be located, the deleted — A new folder entry is created in the same 
file’s resident attributes cam be recovered, folder. 
including its name and timestamps. 
— NTFS overwrites deleted MFT entries before When a user moves a file 
creating new ones. Therefore, any deleted files — The file’s folder entry in the original folder is 
recovered from an NTFS volume will have 
deleted 
been deleted recently. 


— The MFT records are quickly overwritten but z coe folder couy is created iehiie desunalon 
their non-resident attributes may remain on disk : 
indefinitely and hence can be recovered. 


¢ When a user renames a file 
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Folder Entries for FAT Folder Entries for FAT 


¢ Renaming and moving a file within a * Ifa file has a short file name, the information 
volume result in the creation of folder available is the 
entries that have 


— Last seven characters of the filename 


— Extension 
— The same dates and times as the original entries — MAC times 


— The same starting clusters 


— Starting cluster 
— The same file sizes 


— File length 
— Status of the attribute bits 
* Ifa file has a long file name 
— The complete file name may be available. 





Folder Entries for FAT Folder Entries for FAT 


¢ A moved file’s deleted and intact folder The examiner can plot the MAC times 
entries have identical contained in all of the folder entries 
eile Sarde pertaining to a file to identify 
_iCreation dates — The date that the file was first placed on the 
volume 

— The date(s) that the user modified the file 

— The most recent date that the user accessed the 
file 

In NTFS, examine the MFT records and 

index buffer 


— Modification dates 
— Starting clusters 
— File length 


Folder Entries for FAT Folder Entries for FAT 


¢ If a folder is deleted, its data area is not To locate deleted folders 
necessarily affected. — Search for the occurrence of a deleted file 


starting with the E5 hex value 


¢ If the deleted folder’s entry still exists in the — Search for patterns that identify a folder rather 


parent of the deleted folder, that entry is than a file. 
marked as deleted, but the entry still 


: : — Examine the cluster(s) that the folder occupied 
contains a pointer to the data area of the to identify entries that relate to files that were 
deleted folders. located in that folder. 


Folder Entries for FAT Folder Entries for FAT 


¢ Folders on a FAT system consists of 32 byte 


* Caution: 
entries. First 11 bytes contain 


— 8 bytes short name of the file or folder — After a subfolder is deleted, its data could 
— 3 bytes extension. coincidentally be overwritten by a new folder‘s 


: : data 
¢ Folders also contain 2 other 32 bytes entries for ~ Examinets inay get'a false impression that they 
— The folder’s parent are looking at the old folder’s data when they 
¢ First 11 bytes contain 2 dots (2E) followed by 9 spaces (20h) are actually looking at the new folder’s data 
— The folder itself 


¢ First 11 bytes contain | dot (2E) followed by 10 spaces (20h) 
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Recycle Bin 


¢ The Recycle Bin is a hidden system folder 
that operates in accordance with different 


tules than those that govern standard 
folders. 


¢ The folder is named 
— Recycled in Win95/98 
— Recycler in WinNT/2K 


Recycle Bin 


¢ The deletion timestamp can be found in the 
INFO file. 


¢ Each INFO file record is 
— 280 bytes in Win95/98 
— 800 bytes for WinNT/2K 


Recycle Bin 


¢ An INFO file record containing metadata relating 
to a particular file is often effective in confirming 
or refuting computer users’ explanations 
regarding the presence or history of computer file 
recovered from their drivers. 
— File deleted by the operating system do not leave a 
record in the INFO file. 


— INFO file record indicates that a user knowingly 
deleted the file. 


Recycle Bin 


When a user deletes a file, it is moved to 
the Recycle Bin. This results in 


— The deletion of the file’s folder entry in the 
folder in which the file resided 


— The creation of a new folder entry in the 
Recycle Bin 


— The addition of information about the file in a 
hidden system file, INFO, in the Recycle Bin. 


Recycle Bin 


* Every file sent to the Recycle Bin is renamed 


in the following format: 
D [original drive] [index no] [original extension] 


Appended to the INFO file is 

— The file’s original name and path 

— Its index number in the Recycle Bin 
— Its date and time of deletion 


Recycle Bin 


¢ Ifa user’s explanation for the presence of a file is 


that it was inadvertently downloaded during 
Internet activity 


— The file’ s location when it was deleted may tend to 
support or refute that contention. 


— If the user deleted a particular file residing in a default 
download folder, or in the Temporary Internet Files, the 
explanation is more plausible that if the file was in My 
Documents. 
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Recycle Bin Recycle Bin 


* When the user empties the Recycle Bin ¢ From the folder entry of the deleted INFO 


: ee : file, the examiner can decode 
— Windows deletes the files in the Recycle Bin and the INFO 
file. 


— The INFO file may have been deleted but a folder entry for — The timestamps the files were deleted 

the deleted INFO file still remains. — The locations of those files at the time they 
— The first character of the entry is changed to ES hex but the were sent to the Recycle Bin 

rest of the entry remains intact. 


— If the contents of the files are not overwritten, the records 
are available for examination. 


Recycle Bin Recycle Bin 


¢ When the INFO file has been deleted and If the examiner identifies an INFO file 
additionally the file’s folder entry has been record for a file and there are no indications 
overwritten that the file’s path existed on the seized 
media 
— The INFO file may still be intact in unallocated or : eee 
slack space. —TItisan indication that there may have been 
— The examiner can search the entire driver for auethies Piste Ob cena ates compile 


and there may therefore be more undiscovered 
unique characteristics of the INFO file’s contents. evidence. 


Recycle Bin Shortcut Files 


¢ If the drive letter is unaccounted for 


¢ Windows\Desktop folder contains shortcut 
(Ink) files. 

= lb pan ndicatonuhal sere aay pave Deen © The shortcut files contain the fully qualified 
another volume attached to the computer when : 
the file referred to by the INFO file record was paths of the files that they refer to. 
deleted. oe ee, 

¢ The shortcut files may provide indications 


about the current and previous configuration 
of the user’s desktop. 





Shortcut Files Shortcut Files 


¢ The shortcut files have folder entries that 


¢ The installation of an application may result in 
record their MAC times. 


the creation of a shortcut in the Windows\Start 


: ; Menu folder. 
— The examiner can compare these dates with the 


dates related to the application’ s associated files The user may move that shortcut to the deskto 
and folders. y P, 


: ; but this action would result in the creation of the 
— This comparison may show that the shortcut was Ale indicat devia that 

created after the installation of the program, ON ECs CIC ALES all ; as aaa al 

giving rise to the possibility that the user — The user knew of the application’ s existence. 


intentionally created the shortcut and therefore 


— An application program, which is no longer present 
knew of the existence of the application. 


on the computers, was installed at one time. 
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Shortcut Files Shortcut Files 


¢ Windows\Recent folder contains shortcut 
files that point to data files that were opened 
on the computer. 


¢ The MAC times provide a means of 
connecting a volume with the volume that 
the operating system is running on 


¢ The data area of the shortcut file contains — Ifa shortcut file refers to a target file that is 
— The filename and fully qualified path located on a removable volume, the shortcut 


file will contain the MAC ti that i 
— The MAC times, which provide a secondary es eae ae Anne wri 


oy ie as the target file’s folder entry on the removable 
source to track a file’s history. volume 


Shortcut Files Thumbs.DB 


The search for shortcut files can be 


¢ Viewing any graphics files thumbnails is 
conducted in the 


accomplished by the creation of a hidden 
: system file named Thumbs.DB. 
— Allocated area of the disk 


— Unallocated area of the disk * Thumbs.DB contains a copy of each graphic 
¢ The examiner may conduct a search of unallocated : : : 
space for unique characteristics of the shortcut file files in the folder in .BMP format and their 


or its contents. modification dates. 
— Swap file 





Thumbs.DB 


¢ The user may delete files from the folders, 
but the copies of those files in the 
Thumbs.DB file may not be removed. 


¢ Examination of the Thumbs.DB file may 
reveal that a file once existed on the volume 
and its modification timestamps, even 
though it is no longer existent. 


Registry Entries 


¢ The Windows registry is a repository for the 
hardware and software configuration 


— On Win95/98, registry is comprised of 
« WINDOWS\SYSTEM.DAT 
« WINDOWS\USER.DAT 


— On WinNT/2K, registry is comprised of 
¢ several hive files located in %systemroot%\system32\config 


¢« NTUSER.DAT files related to each user account. 
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Registry Entries 


¢ The Registry can be viewed using 
— regedit on Win95/98 
— regedt32 on WinNT/2K 


— regdmp utility in the Windows NT Resource Kit to 
list the contents of a registry key 


¢ In WinNT/2K, each registry key has a 
timestamp of the most recent update to the key. 


Index.DAT 


¢ Internet Explorer caches website that a user visits, 
in the C:\Windows \Temporary Internet Files 
folder and maps filenames to the system files. 


The Index.DAT file uses as many 128-byte 
blocks to describe each file. The records contain 
— The URL 

— The date that the page was last modified by the server 
— The date that the URL was last accessed by the user 
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Registry Entries 


¢ The registry stores information about many 
aspects of the system in cells. A cell might 
reveal 


— Software installed on the subject machine 
— Recently used programs and files 


— Recently accessed servers using Telenet . 


Printing 


¢ Printing involves a spooling process. 


¢ Print spooling is accomplished by creating 
temporary files that contain both the data to 
be printed and sufficient information to 
complete the print job. 
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Printing 


¢ Files with extension .SHD and .SPL are 
created for each print job. 


The .SHD file contains information about 
the print job, including 

— The owner 

— The printer 

— The name of the file printed 

— The printing method (RAW or EMF). 


Printing 


¢ .SPL file in EMF format on Win95/98 
contains 


— Name of the file printed 
— Printing method 
— A list of files that contain the data to be printed. 


¢ The files containing the data to be printed are in 
enhanced metafile format 


¢ They have names in the format of ~EMFxxxx. TMP 
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Printing 
¢ Inanetwork environment 


— The .SPL and .SHD files are found on both the 
workstation and the servers. 


— The examiner may examine the volume for 
allocated and deleted .SPL, .SHD and 
~EMFxxxx.TMP files. 


Printing 


¢ In RAW format, the .SPL file contains the 
data to be printed. 


¢ In EMF format, the .SPL file in Win95/98 is 
different from that in WinNT/2K 


Printing 


¢ .SPL file in EMF format on WinNT/2K 
contains 


— Name of the file printed 
— Printing method (EMF or RAW) 
— The data to be printed. 


¢ The .SHD .SPL and .TMP files are deleted 
after the print job is completed. 


Printing 


¢ The .SPL and .SHD files contain the name 
of the files to be printed and its fully 
qualified path. 


— The existence of a file in enhanced metafile 
format suggests the deliberate act of printing. 


¢ This may indicate knowledge on the part of the 
user of the existence of a particular file. 
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Printing NTFS Log File 


— The path may suggest that other media 
containing evidence exists. 


* The $LOGFILE is created during the 
formatting of an NTFS volume 


— To keep track of transactions 
— If the original file that the user printed does 


: : : : — To enable NTFS to recover from system crashes. 

not exist on the seized evidence, the file may y 

be found in enhanced metafile format. ¢ By documenting the operations to be conducted to 
complete a transaction, NTFS can undo or redo 


transactions that are only partially completed when a 
system failure occurs. 


NTFS Log File NTFS Log File 


* To delete a file * The $LOGFILE contains 
— The $BITMAP file must be changed to show 


— Index entries 
the clusters as unallocated 


¢ To describes filename and MAC times 
— The MFT record must be marked as unallocated — Copy of MFT Record 
— The index entry must deleted * MFT records all file information beginning with 
‘File’ followed by a 2A hex value 
— Link files 
¢ Link files are preceded with the link file header 
— Index buffers 


¢ Index buffers are preceded with ‘INDX’ 


* These steps are recorded in the $LOGFILE 
so that each step in the transaction can be 
executed again or undone if problems arise. 


— Ifacrash occurs, NTFS can complete partially 
completed transactions. ae 


Windows NT Event Logs Windows NT Event Logs 


¢ Microsoft WinNT can be configured to log ¢ System logs include events in the system’s 
events in binary files operation such as a failed or successful 
driver startup, an application crash or errors 
; associated with data lost. 
— System events in SysEventevt 


— Application events in AppEvent.evt ¢ Application logs are for events recorded by 


— Security events in SecEvent evt. applications. 





Windows NT Event Logs 


Security logs contain information such as 


logon and logoff events, file manipulation, 


and other resource access events. 


Additionally, WinXP comes with the 
software-based Microsoft Internet 
Connection Firewall that has its own log 
files. 


Windows NT Event Logs 


Windows NT has descriptive messages 
stored in the Registry and separate files. 


The Event Viewer combines and displays 
the information in these files, providing a 
convenient way to view the data. 


— Double click to bring up the Events Details 
windows. 


Windows NT Event Logs 


¢ When viewing event logs on a remote 
system. 


— The Event Viewers will read the event record 
data from the remote log files, but will search 
the registry of the local system for the 
corresponding event message files. 


Windows NT Event Logs 


¢ An event log entry has 3 sections 


— Header: 


¢ Date, Time, Username, Computer Name, Event Id, 


Source, Type, Category 


— Event Description 


¢ Information about the event or recommended 
remedy 


— Additional Data 
¢ Optional binary data. 


Windows NT Event Logs 


¢ WinNT stores descriptive messages in the 
Registry and various messages files. 


* Copying *.evt files from one system to 


another for examination may result in 
misinterpretation. 


Extracting Event Log 


Extract the event logs from the image 
files. 


Extract all related information referred to 


by the EventLog registry key: 


— HKEY_LOCAL_MACHINE\SYSTEM\ 
CurrentControlSetServices\EventLog 
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Extracting Event Log Extracting Event Log 


3. Extract the system hives file from 
— WINNT\System32\Config 


6. Under the EventLog 
Open the Application, Security, and System 
sub-keys 
4. Open regedt32, go to 
— HKEY_LOCAL_MACHINE 


Export each key as a .reg file. 

Examine the data portion of each key for 
EventMessageFile 

This will reveal the path and file name of the 
file the Event Viewer uses to display 
explanatory text for each event. 


5. In HKEY_LOCAL_MACHINE, locate key 
— CurrentControlSet or ControlSet00x 


Extracting Event Log Extracting Event Log 


7. Extract the required executables (.exe) or 
dynamic link libraries (DLL). 


9. Import the registry keys (*.reg) into the 
forensic workstation’s registry. 


: 2 : 
Be sit ie ek pOned ace a escuen tat 10. It may be possible to open an extracted 


— The path in the EventMessageFile statement 
points to the location of the appropriate 
extracted files on the examination system. 


— The created key should state the sub-key as 
CurrentControlSet rather than ControlSet00x 
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Extracting Event Log 


— Most of the time, the Event Viewer will report 
that the file is corrupted and will refuse to open 
it. 


— The log is rarely actually corrupted 


— When the event logging service does not shut 
down cleanly, the Windows Service Control 
Manager does not reset several bit values that 
indicate the files is open and thus cannot be 
accessed. 


* evt file with the Event Viewer using the 
ActionlOpen Log File menu option 


Extracting Event Log 


— The event logging service cannot be stopped 
while WinNT/2K is running to prevent 
intruders from disabling event logging. 


— WinZapper can break the Event Log service 
without shutting it down, enabling an intruder 
to remove individual entries from Event Log 
files that are in use by the system. 





50 


Loading Logs into Event Viewer 


1. Go into Services in the Control Panel 
— Disable the events logging service. 


— The event logging is disabled automatically 
when the system is rebooted. 


2. Reboot the forensic workstation 


— Check Services to ensure that the event 
logging service is not on. 


Loading Logs into Event Viewer 


6. Open the Event Viewer to display the logs 
from the imaged system. 


— This will add new events to the log files 
stamped with the current date and time. 


To minimize contamination, immediately 
generate new copies of the event logs 
using the Event Viewer’s save as 
command. 


Displaying Logs in Event Viewer 


— Microsoft recommends dumpevt 
(www.systemtools.com) for dumping contents 
of events logs into a format suitable for 
spreadsheets and databases. 


— Importing contents of multiple log files into a 
spreadsheet makes it easier to sort events 
chronologically and search all the logs 
simultaneously. 


Loading Logs into Event Viewer 


3. Goto the WINNT\System32\Config folder 


— Rename the SecEventevt, AppEventevt and 
sysEvent.evt files to something else. 


4. Copy the event logs extracted from the image 


to the WINNT\System32\Config folder. 


5. Go into Services 


— Set the event logging service to manual start. 
— Start the event logging services. 


Displaying Logs in Event Viewer 


¢ Although convenient, displaying logs using 
the Event Viewer is not very conducive for 
analysis 


— Event Viewer is not integrated with other data 
processing tools. 


Displaying Logs in Event Viewer 


When adjust for daylight saving is enabled, 
dumpevt does not adjust event time 
correctly 


— Events are one hour off. 


Corruption of event log record may occur 
— Accidentally due to software bugs. 


— Deliberately by reporting of misleading events 
that impersonate other event sources. 
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Internet Information Server Logs Internet Information Server Logs 


¢ IIS logs are generally located in ¢ The access log files are in Common Log 
— %systemroof\sytem32\logfiles\ Format (CLF) 


¢ Remote host ¢ Status code 
¢ Each time a file on a Web server is accessed 


; P ¢ UserID ¢ # bytes returned 
over the Internet, an entry is made in an j 
access log file. ¢ Date ¢ Referring URL 


¢Time ¢ Browser 


¢ Request 


Win2K IIS Log Web Server Access Codes 


¢ IIS log in Win2K differs from CLF, and e Success 
has the following format: 
_ IP address — 200 Success 
— Date and time - 201 Okay Post 
P ; nat —202 Okay Processing 
— Processing time in ms 
; — 203 Partial Information 
— Bytes sent to client 
— Bytes received by server mize, (Okay Noaesponse, 
— Size 


— HTTP web server access/result code 


Web Server Access Codes Web Server Access Codes 


¢ Redirection ¢ Client Errors 


— 300 Data Requested Have Moved — 400 
— 301 Found Data Has a Temp URL — 401 
— 302 = Try Another Location -—402 External Redirect Error 
— 303 Not Modified -—403 Forbidden 

— 304  Success/Not Modified —404 File Not Found 


Bad Request 


Unauthorized Access 





Web Server Access Codes 


¢ Server Error 


—500 = Internal Error 

-—501 Method Not Implemented 
—502 Server Overloaded 

—503 Gateway Timeout 


Example of IIS Unicode Exploit 


4. Uses TFTP to download a replacement 
E.asp page 
— S/script/../..winntsystem3 2/fip .exe/ 
-it+rooted.ntserver.com+get+E.asp 


5. Runs the E.asp page to install trojan 
horse 


— /script/E.asp 


Examining IIS Logs 


¢ It may be possible to distinguish between an 
automated tool probing a Web server and a 
human exploring a Web server by the speed 
and regularity at which sequential requests 
are made. 


Example of IIS Unicode Exploit 


1. Intruder obtains a directory listing of C:\ 
— /script/../../winntsystem32/cemd.exe/c+dirt+c\ 


2. Removes read-only permission on E.asp page 
— /script/../..winntsystem32/attrib.exe/E.asp+-r 


3. Deletes E.asp page 
— /script/../..winntsystem32/cmd.exe/c+sel+E.asp 
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Example of IIS Unicode Exploit 


6. Removes read-only permission on E.asp 
page 
— /script/../..winntsystem32/attrib.exe/E.asp+-r 


7. Deletes E.asp page 
— /script/../..winntsystem32/cmd.exe/c+del+ E.asp 


Examining IIS Logs 


¢ When a human is browsing or exploring a 
Web server, access log entries often show 


temporal gaps between viewed pages as the 
individual reads the contents of the pages or 


assesses the results of the requests. 


¢ A human may misspell a page or return to a 
particular page several time. 
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Examining IIS Logs 


¢ Web proxies can also be used to conceal the 
IP address. However, these proxies will 
have log files showing which computers on 
the network accessed which Web pages on 
the Internet. 


Processing Evidence on MS Exchange 


¢ The registry in the original server usually 
contains most of the information that is 
needed to configure the restoration server. 


— The Microsoft Support Knowledge Base 
contains articles detailing where some of this 
information is located. 


Information Store Restoration 


1. Shut down all of the Exchange services on 
the restoration server 


2. Delete contents in the Exchsrvr\Wdbdata 
folder 


3. If the files come from an offline backup, 
copy the contents of Exchsrv\Mdbdata on 
the restoration server. 


Processing Evidence on MS Exchange 


¢ Microsoft Exchange is tightly integrated 
with the operating system 


— It is not feasible to restore the Exchange 
database files and examine them directly. 


— It is necessary to build a restoration server 
identical to the original server that has the same 
¢ Computer, site and organization names 


¢ Versions, service packs, and hot fixes of Windows 
NT and Exchanges. 


Processing Evidence on MS Exchange 


It may be necessary to install backup 
software because Exchange runs as a 
service on the operating system and keeps 
certain files open at all times. 


To successfully preserve these open files, 
the backup application must use special 
processes to save the online email databases 
files. 


Information Store Restoration 


4. Ifrestoring from an online backup, restore 
the Exchange Information Store only. 


5. Restart the Exchange System Attendant 
and Exchange Directory services. 
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Information Store Restoration 


6. Openacommand prompt windows 
— Change directory to ExchsrvABin 
cd ExchsrviBin 
— Run isinteg with the patch command option 
isinteg —patch 


7. Start the remaining Exchange services. 


Information Store Restoration 


9. The DS/IS Consistency Adjustment will 
repopulate the Exchange directory. 


10. The examiner can now access the 
mailboxes of specific individuals or 
accounts. 


Processing Evidence on MS Outlook 


¢ Email migration tools 


— UniAccess (www.comaxis.com) will extract 
emails messages out to an HTML format, with 
hypertext links from messages to their 
attachments. 


— Exlife (www.ornix .com) will convert the email 
messages to text files. Attachments are 
extracted out of the pst into their native format. 
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Information Store Restoration 


8. Open the Exchange Administrator Program 


Select the restoration server as the server to 
administer. 


Highlight Server Object 

View Properties 

Select Advanced tab 

Under DS/IS Consistency Adjustment 


¢ Select All Inconsistencies 


Processing Evidence on MS Outlook 


¢ In many situations, the Outlook email 
clients will not have sufficient capabilities 
to perform a full forensic analysis. 


The examiner have to translate email 
messages and attachment from the pst file 
into a format more amenable to searching 
and analysis. 


Windows Active Directory 


Active Directory (AD) is core components of 
Win2K 


This central repository for critical data contains 
— User accounts 

— Passwords 

— Email addresses 

— Personal data 

— Security settings 

— Auditing settings 
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Windows Active Directory 


¢ AD is stored on Domain Controllers in 
— %systemroof\NTDSMitds.dit 


— The ntdsdit file can be viewed using the Active 
Directory snap-in in Microsoft Management 
Console. 


‘This slide is intentionally left blank 


‘This slide is intentionally left blank 
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Forensics on Unix 


Section 8 


Unix recognizes 2 basic user types: 
: — Superusers or Root (USERID=0) 
Forensics — Ordinary users (USERID!=0) 


on Unix When a system administrator creates a new 
user account, the system acknowledges the 
new user by adding user entries in the 
/etc/passwa file. 


The new user is assigned a unique USERID. 
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User Permissions User Permissions 


¢ When the user logs into the Unix Other processes run on behalf of the user 


environment, a shell process is executed on will have the same permission which is 
behalf of the user. known as the real user-id (ruid). 


¢ The owner of a process is identified by his A user may execute a file owned by root, 
USERID. where Set User-ID (SUID) functionality 
allows the process to run with root 
privileges. 


User Permissions User Permissions 


¢ For example: — The passwd program used to change passwords has 
SUID permission set so that it runs with root (user-id 
— The /etc/shadow file contains encrypted passwords 0) privileges. 


and does not allow ordinary users to modify it for : F : 
y y — This allows ordinary users to update the otherwise 


security reasons. locked /etc/shadow file. 


= However, this file is updated when users change — Listing the passwd executable file will show an ‘s’ 
their password. over the file owner’s executable permission, 
signifying the SUID permission. 





Backdoor to Root Shared Files 


¢ Reviewing and comparing SUID files to a known ¢ Special attention should be given to world- 
baseline for those files, may identify a backdoor writeable files, especially system files. 


that gives an ordinary user root privileges. — Anyone can place a malicious code on the system. 


¢ The find command will produce a comprehensive : : 
: ; ie ¢ To list all world writeable files 
list of files with the SUID/SGID permission set. Pee) ey om na Sr omer e 
— Set Group-ID (SGID) permission allows an executing # find /-type dV -perm -2 -o -perm -20\) -exec ls —Id {}\; 
process to inherit the group privileges rather than the 
file owner privileges. 
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File Hashes File Hashes 


¢ When analyzing a system without baseline ¢ After installing the subject operating system 
files, examiners must create or obtain their 
own. — Create amd5sum hash of the targeted system 
binary directories 
Creating a baseline may involve installing the eDin 
operating system or coordinating with ofustoin 


. * /sbi 
vendors for a baseline. sate 
¢ /usr/sbin. 


Sun@Micosystems ’ Solaris Fingerprint 
Database contains close to 1 million md5sum 
hash entries of trusted binaries. 34s 


— Compares the two files using the Unix 
command diff. 


System Configuration Facility Levels 


¢ The /etc/syslog.conf file sets the facility and Auth Security and Authorization-related commands 
priority level of individual logs. 


Authpriv Private authorization messages 

Cron The cron daemon 

~ Facility is the service that an event will Daemon System daemons (may cause redundant logging) 
originate 


SA nage des , . 7 K The k 1 
— Priority is the extent to which logging will a ieee! 


occur. User User process 


— The facility and priority make up one field, News Usenet mews system 


separated by a period. Mail Mail system 





Priority Logging Levels 


Emerg Panic situation 

Alert Urgent situation 

Crit Critical situation 

Err Other error conditions 
Warning Warning messages 
Notice Unusual occurrences 
Info Usual occurrence 


Debug All occurrence 


System Services 


¢ Examiners can get an idea of what services are 
launched by understanding the Unix scripting and 
services. 


Other services are initiated when needed by a 
daemon that listens for network requests. 


— This daemon is called the Internet Daemon and is 
controlled by /etc/inetd.conf. 


— This file will provide the name of the service, the type 


of delivery, protocol, wait status, uid, server and any 
arguments. 


User Accounts 


¢ User-id 0 should be reserved for root only. 


¢ Any other shared user-id 0 should be 
questioned. 


¢ Verify that daemon accounts, including 
‘nobody’ 


— Do not reference a user shell 
— Should state /bin/false 


System Services 


Some Unix services are specifically initiated 
or terminated based upon the configuration 
of scripts located in the /etc/rc directories. 


The directories are named according to run 
level and each script starts with 

— § for start, K for kill 

— For example 


* /etc/rc3.d/S80sendmail is the sendmail Startup script 
initiated at run level 3. 
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User Accounts 


¢ The /etc/passwd file identifies 
— User account names 
— User and group ids 
— User general information 
— User home directory 
— User shell 
— If it contains password hashes, the system is 


vulnerable to password cracking. 


¢ Password hashes are commonly protected in the 
/etc/shadow files. 


Scheduled Jobs 


¢ Intruders sometimes create scheduled jobs to 
ensure that certain malicious processes stay 
running. 


— On Linux, scheduled jobs are in found /etc/ron.d 
¢ These jobs are run at intervals determined by /etc/crontab. 


— Other Unix systems store cron jobs in 
/var/spool/cron/crontabs. 


¢ The binary file /usr/bin/crontab runs as the effective user 
(suid) root. 
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Bh, 


Standard Unix Logs 


wtmp /wtmpx 


utmp /utmpx 


Lastlog 


Keeps track of login and logouts. Grows in 
length and is extended to wtmpx. The /ast 
command refers to this file for information 


Keeps track of users currently logged into the 
system. Provides output for the commands w, 
finger and who. 


Keeps track of each users most recent login 
time and records their initiating IP Address 
and terminal 


Standard Unix Logs 


syslogd 


A daemon that refers to the syslog.conf 
configuration file for detailed logging. The 
names of further logs are identified. Logs 
with unique names and locations may be 
identified in this file. 


Messages .[0-X] Records major events and is usually rolled 


over into historical logs with naming 
conventions: messages, messages. 1, 
messages.2, messages.3 


Standard Unix Logs 


acct/pacct 


Packet 
sniffer logs 


Used to bill users on their CPU usage. 
Maintains a list of user’ s commands and their 
process time they used. 


Captures network IP packets. The administrator 


may run a packet sniffer to maintain statistics, 
troubleshoot problems, or overall manage of 
the network. It is often used to capture 
usernames and passwords. 


Standard Unix Logs 


Sulog 


Httpd 


History files 


Router logs 


Records the usage of the su switch user 
command. 


Tracks originating IP address of WWW 
connection. 


Keeps a record of recent commands used by 
the user. Usually kept in the users $HOME 
directory. 


Witness system. 


Standard Unix Logs 


FTP Logs.xfr 


maillog 


Maintains extensive logs to track incoming 
connections and typically shows the 
originating IP address of the connection. 


This is usually facilitated by syslogd in the 
same format. It provides status of mail 
handling. 


Records the use of dial out facilities. Records 
username, time, date and phone number. 


Login Process 


¢ Unix tracks current and previous activity 
using lastlog, utmp and wimp. 


¢ Each time a user logs into a Unix system, 
the login program searches lastlog file for 
the user’s UID. If found, the time and 
location where the user last accessed are 
written to standard output. 
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Login Process 


New login time and hostname are updated 
in the Jastlog file. 


The utmp file is opened and a record for the 
user is inserted. 


The utmp file contains a list of current 
logins. 


The utmp file is used by rwho, wand who. 
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Login Process 


¢ The wimp file maintains a history of login 
activity on the system. 


¢ The wip file is used by the program /ast 
andac. 


¢ The default wimp file will increase without 
bound. It is normally truncated by the daily 
scripts run by cron, which rename and 
rotate the wimp files. 


Shell History Files 


¢ When multiple-shells are involved 
concurrently, cached commands are written 
into a new file after the history file has been 
deleted. 


¢ Default locations for history files 
— .history for C shell (CSH) 
— .sh_history or .ksh_history for Korn Shell (KSH) 
— .history for Bourne Again Shell (BASH) 


Login Process 


¢ When the user logs out, the entry in the 
utmp file is deleted. 


¢ Data in the wimp file are appended to the 
wimp file. 


¢ Another record is added when the user logs 
out, enabling /ast to provide the session 
duration. 


Shell History Files 


¢ The shell history record commands issued 
in the shell environment, of which the 
examiner can track commands the intruders 
issued to the system. 


¢ The history log is stored per-user basis ina 
user’s home directory. 


Restoring Tape Images 


¢ Unix system allows many useful ways of 
looking at the data from the tape. 


¢ Linux provides many useful utilities, 
additional file systems and device handlers. 
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Restoring Tape Images 


¢ Determine the name of the tape drive 
— Cycle through a loop 


— Substitute each number from a list 


¢ Drive names in SunOS/Solaris 
/dev/rmt/{ drive#:0,1,2 }[density indicator:],m.h,u,e][berkley ][no rewind] 


¢ Drive names in Linux 
/dev/ [no rewind }t{ drive#0 1,2} 


Determining the Tape Drive 


¢ For Linux: 


For drive0 123456789 
>do 


>mt -f /devhst$(drive) status 
>done 


Ensuring Write Protection 


¢ If write-protected, the status shall have the 
WR_PROT flag set. 


— 8 mm tapes 
¢ Protected if red tab is covering the hole 
¢ Unprotected if hole is visible 


— 4mm DAT tapes 
* Protected if white tab is opened 
¢ Unprotected if white tab is closed 


Determining the Tape Drive 


For Solaris: 


For drive0 123456789 
>do 


>mt -f /dev/rmt/$(drive)n status 
>done 


Determining the Tape Drive 


¢ Look at what SCSI devices are available 


cat /proc/scsi/scsi 


¢ Check the status to ensure the write- 
protection has been set. 
mt-—f /dev/nst0 status 


Determining the Block Size 


¢ Set the block size to zero in order to 
automatically seek the block size used 
mt—f /dev/nstl setblkO 


¢ Common block sizes 
— 521 bytes for dd 
— 10240 bytes for tar or cpio. 


— Some proprietary backup commands use block 
sizes that adjust or vary throughout the tape. 


¢ In this instance, use tcopy to copy the data 
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Determining the Block Size 


¢ Read one block with the tape drive on 
automatic and check how big it is. 


#dd if=/dev/nstl of=test_file count=1 bs=512k 


Source Destination Read only | Block Block Size 


— Rewind the tape to the beginning 
— #mt —f /dev/nstl rewind 


Checking the File Type 


¢ Most tape will have header information on 
the file type. 


If the file command does not give a clear 


determination of the type of data, examine 
the file manually using 


— xxd (hex dump) 
— od (octal dump) 


Identifying Attached Hard Drive 


¢ Disk drives are generally of two main types 
— IDE 
— SCSI 


On Linux IDE 
— Primary controller 
« Master drive is dev/hda 
¢ Slave drive is /dev/hdb 
— Secondary controller 
* Master drive is dev/hdc 
* Slave drive is /dev/hdd 


Checking the File Type 


¢ Verify the type of data stored on the tape 
# dd if=/dev/nst2 count=1 \file — 


¢ The file command will give an indication for most 


formats of tar, cpio and backup 


¢ The examiner should use the appropriate 


command to restore the data from the tape. 


Manual Tape Copy 


¢ Duplicate a copy and store the original 
evidence away. 


# mt —f/dev/nst0 setblk 1024 Set Block Size on Source, with No Rewind 


# mt —f /dev/nstl setblk 1024 set Block Size on Destination, with No Rewind 


# dd if=/dev/nst0 of=/dev/stl bs=1024 


— Repeat the dd commands until all files on the 
tape have been copied. 


Identifying Attached Hard Drive 


¢ Linux partitions 
— Partitions will add a number: hdb1, hdb2, hdb3 
and hdb4 for the primary partitions. 


— Extended partitions start with hdb5, hdb6 and 
so on. 


Sun partitions 
— Disks are numbered from 0 to 7. 


— Slice 2 is referred to as the ‘backup slice. 





63 


Identifying Attached Hard Drive 


¢ SCSI disk devices 


— Typical names are /dev/sda and /dev/sdb. 


— The first SCSI disk device detected will be 
letter a, the second D and so on. 


— A failure or removal of a driver or SCSI 
controller card may cause the name of a drive 
to suddenly change. 


Identifying Attached Hard Drive 


¢ The fdisk command for Linux is very useful 
in listing drive and partition information on 
block devices. 


¢ Examiners may verify what devices they 
expected to see through the partition 
information. 


Duplicating a Hard Drive 


¢ Disk duplicate can also be performed using 
#dd_ if=/dev/sda of=/dev/sdb; sync 


¢ Verification can be performed using md5sum 
# dd if=/dev/sda | mdS5sum 


# dd if=/dev/sdb count={# of records} | mdSsum 
— If the destination drive is larger than the block count 


limit, it will have to be added to ensure that the 
md5sum does not consider the trailing zeroed bytes. 
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Identifying Attached Hard Drive 


¢ SCSI disk devices 


— File systems automatically mounted at boot time may 
no longer function if a failure is encountered. 


— All drivers required for boot should be verified and 
mounted manually to protect the evidence. 
« Automatic mount at boot only recommended for Linux IDE. 


— SCSI drives have a physical write-protect jumper that 
can be set to provide write protection. 


Clearing a Hard Drive 


* Clear the new disk of all data 
— sync ensures all buffer caches are written to disk 
# dd if=/dev/zero of=/dev/sdb; sync 


¢ Verify that the disk has been cleared by 
dumping the device out to display all non- 
zero bytes. 
# dd if=/dev/sdb | xxd\\ 
grep —v “0000 0000 0000 0000 0000 0000 0000 0000” 
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Mounting a Hard Drive 
¢ Use the mount command to 


— Show devices already mounted on the system. 
— Verify what mount points already been used. 


— Make available the logical files within the file 
systems. 
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Mounting a Hard Drive 


¢ Show that the file system is available 
logically and is read-only. 


¢ Use the loop option to ignore cylinder 
/head/sector parameters and access the 
block device block by block. 


#mount —r—t ufs -o loop /dev/sdbl1/TARGET 


Unix System Logs 


¢ Not all programs makes an entry in wimp in 
all cases. 


— The sshd does not make an entry in wtmp when 
using scp port forwarding. 


¢ The wimp log can be corrupted by an 
incomplete write 


— Hence necessary to analyze log entry using 
customized programs 


Unix System Logs 


¢ For added security, use tcp_wrappers to 
restrict access to a server and generate more 
detailed entries in the system logs. 


¢ Not all programs can be wrapped using 
tcp_wrappers, hence host-based firewalls 
are often used to restrict access. 


Unix System Logs 


¢ The Jast command is used to query wimp 
log files to determine who logged into a 
system and when they logged out. 


— The Jast command on most system truncates 
hostname. 


Unix System Logs 


¢ syslog sends information to a central logging 
host using the UDP protocol. 


— UDP is an unreliable connectionless protocol. 


— syslog timestamps the log entry with the date and 
time of the syslog server, not the sending host. 


¢ This can introduce a time discrepancy. 


— The syslog server has no way of confirming the 
origin of a given log entry. 


¢ Hence possible to forge a log entry and send it to the 
syslog server. ou8 


Unix System Logs 


¢ Host-based firewalls can create very 
detailed logs because they function at the 
datagram level, catching each datagram 
before it is processed by tcp_wrappers. 


— Firewalls can log all connections to a host, both 
those permitted and rejected. 
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Unix System Logs 


e Sun has a Basic Security Module (BSM) 
that creates audit records similar to NT 
Event Logs in a binary format. 


— To convert the binary audit logs into readable 
text, use 


© praudit 
* auditreduce 
¢ BSM Event Viewer 


Unix System Logs 


¢ Email Servers 


— Simple Mail Transfer Protocol (SMTP) is used 
to deliver email over the Internet. 


— Post Office Protocol (POP) enables individuals 
to read email by downloading it from remote 
server. 


— The Internet Message Access Protocol (IMAP) 
enables individuals to view email while 
residues on the server. 


Unix System Logs 


— POP and IMAPO servers require username and 
passwords before providing access to the 
personal email. 


— Thus, if a message has been deleted from the 
server, there may still be evidence of its 
existence in the server’s log files. 


¢ SMTP servers keep logs that pass through. 


¢ IMAP and POP servers keep logs of who checked 
emails. 


Unix System Logs 


¢ Web Servers 


— Web servers such as Apache and Netscape 
running on Unix have log files similar to the 
Microsoft Internet Information Sever. 


Unix System Logs 


— SMTP servers do not usually require a 
password. Thus, it is 


¢ Easy to forge messages 


¢ Difficult to prove that a specific individual sent a 
given message. 


Unix File System 


Label...Partition...Partition...Partition... 


Super Inode Data Inode Data Super Inode Data 
Block Bitmap Bitmap Blocks Blocks Block Bitmap Bitmap... 
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Disk blocks File Types 


directory/home/usr 


Regular file 
Directory 


Dan ial inodel 11 


Wietse 246 owner/groupID 


Permissions 
file/directory/etc 
data block #s 
data blocks 


data content 
data content 
data content 
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File System Properties 


Everything is placed in one logical tree. 
— No C: or D: drives 


— Even devices are accessible through the file system. 


Directories are files 

— Except that users can’t write to them 

— Some remote file systems may disallow reading 
Files may contain holes 


— No data is written in holes 
— Holes read back as all-zero blocks 


File Attributes 


Ownership 
— Numeric user and group ID 


Permissions 
— Read, write, execute for owner, group, other 


Types 

— File, directory, symlink, device 
Reference count 

File size in bytes 


Time stamps 
— MAC times 


Symbolic link (alias for other file) 
Device (e.g., terminal, disk, memory) 


Inter-process communication: named pipe, 
socket 


File System Properties 


Multiple references are possible for a file 


— A file can appear in multiple places, even in places 


owned by different users 


Zero references are also possible 


— A file can still exist after it is removed 


No built-in undelete provision like DOS 


Wasted space only 0.5 kbytes at the end of a file 
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Physical Locality 


¢ Modern UNIX file systems do not scatter 
the contents of a file randomly over the 
disk to avoid fragmentation 


¢ The file system locality allows deleted file 
contents, access time patterns and other 
attributes to survive long after a file is 
deleted 


¢ When a file is deleted, the system makes 
only minimal changes to the file system 
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Permanency of Delete Content 


¢ A really secure delete takes time 


¢ It is possible to recover data from the disk 
even after overwriting multiple times 


¢ It is possible to recover data from the RAM 
after powering off 


Grafting to Hide Effects of Wiping 


¢ All-zero free blocks are unusual 
— Raise suspicion of wiping 


¢ Solution 


— Overwrite free space with plausible data 


¢ Cloning/grafting 


— Use copies of recently accessed files from the system 


¢ Eg. mail, program source code, web pages/images 


Effects of File Deletion: Inode 


¢ The inode file attribute block is marked as 
unused in the inode block allocation bitmap 


¢ Some file attribute information is destroyed, 
but a lot of information is preserved 


¢ Linux preserves the connections between 


the file inode block and the first 12 file data 
blocks 


To Wipe a UNIX System 


Wipe files before removing them 
Wipe free space 


When shutting down the system 
— Wipe swap space 

— Wipe memory 
Wiping software 

— http:/Ahc.pimmel.com/ 


Effects of File Deletion: Directory 
The directory entry with the file name is marked 
as unused 


The file name becomes disconnected from any 
file information 


Names of the deleted file can still be found by 
examining a directory with the strings command 


Linux does not allow directories to be accessed in 


this manner. 
— Use the icat utility to work around this restriction 
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Inode Information for Deleted File 


Ownership: Time stamps: 
— Numeric user and — Last file Modification 
group ID — Last file Access 
Permissions: — Last status Change 
— Read, write, * Owner, permissions, refcount 
execute for owner, Reference count 
group, other — Zeroed when removed 
Types: File size in bytes 
~ File, directory, — Zeroed, except LINUX 
symlink, device, : 
FIFO, socket List of data block numbers 
— Zeroed, except LINUX 408 
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Effects of File Deletion: Data Blocks Effects of File Deletion: Summary 


«Directory 
—Name Preserved, disconnected from file 


File data blocks are marked as unused in their Fie bute 
é . *Inode attributes 
block allocation bitmap -Owner Preserved 


—Group ownership Preserved 
—Last read access time Preserved 


Contents in the file data blocks are left untouched —Last write access time Preserved 


—Last attribute change time Time of Deletion 


File data blocks are no longer connected with the Spee we Gare) ear aes 


—Directory to ref count Destroyed (Preserved in Linux) 
file —File type Destroyed (Preserved in Linux) 
Access permissions Destroyed (Preserved in Linux) 
—File size Destroyed (Preserved in Linux) 


Linux has an option to erase file data blocks upon —Data block addresses Destroyed (Preserved in Linux) 
. : *Data blocks 
file deletion, also the first 12 data blocks remain —Data contents Disconnected (Preserved in Linux) 


connected to the inode block 409 


Erasing the Tracks Finding the Tracks 


* An intruder may remove exploit source and ¢ When a program is compiled, executed or deleted 


executable code after they have served their — The compiler processes the source code 
¢ It creates several temporary files before the executable 
purpose program pops out. 


ae ¢ When the intruder compiles, runs or deletes an 
As the result of such cleanup activity, the exploit program 
only visible evidence is the last — We can find traces of the deleted files 


modification time of the directory * Program source file 
* Executable file 


¢ Compiler temporary files 


Finding the Tracks Access Time Patterns 


Use the l 1 Ss utility to retrieve the file attributes File Size MAC Permissions Directory File <Dir-Inode #> 
85 om. -wt-r- wietse  <hda6311549> Create source file 


— The deleted files have no names, disk names and 10897 i hdal 2022: Chee: 
mac -tw-r-r-- —wietse_ ~— <hdal 2022> Compiler temp file 


file inode numbers are used a0 M=Write/Create 


A=Read/Run 
872 eee RS HIST C= Change Attribute/Delete 


85 a. -twet-r~ —wietse — <hda6 311549> Read source file 


Compiler temporary files live in the same file eer Create executable 


. IWXFXE-X — wietse #4173 <hda6 -311550> 
system zone as the Amp directory a, -twxexex wietse  <hda6311550> Run executable 
— The deleted temporary files is overwritten only UR Rie tee IGE EEC NE EEE 
aw-+r—-r-- —_- wietse <hda6 311549> 
when a process needs to create a new temporary 
file. 


-aw-+t-r-- —_ wietse <hdal 2023> 


Delete source file 
-TWXEXI-X — wietse <hda6 311550> Delete executable 
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Forensics on the Network 
Section 9 
* Log files contains large amounts of trace 


: information. 
Forensics on 


the Networks ° IP address may not pinpoint the culprit, but 
it does narrow down the search to a 
particular machine. 


¢ Server logs record which IP address had 
used a specific services at a specific time. 


Forensics on the Network Challenges of Network Analysis 


IP address are stored in the Web server * Evidence is often distributed on many 
access log. computers. 


Dialup modem banks and BOOTP/DHCP — The distributed nature of the networks may 
servers create log files of IP address make it impossible for investigators to gain 

: physical access to the device that contains 
assignments. valuable evidence. 


Firewalls and routers keep log of the 


: — It may be necessary to collect evidence from a 
TCP/IP traffic passing through (usually remote system or access an active network 
incoming). 


device to collect volatile data. 


Challenges of Network Analysis Challenges of Network Analysis 


Evidence is often present on a network for ¢ When collecting network log files, it may 
only a short time. not be feasible to shut down the systems 


— Such information is stored in volatile memory — Evidence in volatile memory can be lost if the 
of network devices or in network cables. network cable is disconnected or the computer 


is turned off. 
— Windows of opportunity for collecting this 


volatile evidence is very small. — It may be difficult to make a bitstream copy of 
the hard disk. 
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Difficulties of Collecting 


Challenges of Network Analysis NETIC Evenee 


— One approach to gathering evidence from a system 
entails using the who and netstatcommands to * Log files contain overwhelming information 


send the results into a file on an external device. at the transport and network layer 


— This technique minimizes the impact on the system ¢ State tables contains activities of many users 


when valuable evidence may be stored in slack and but are only available for a short time 
unallocated space. : A 
¢ Cutting and pasting on segments of a log file 


Encryption is becoming more common, which is not satisfactory from the evidentiary 
allows criminals to scramble incriminating viewpoint for authenticity and integrity of the 
evidence. digital evidence 
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Network Evidence Collection Collecting Evidence on Network 


Consider taking print screen snapshots 1. Maintain a log using Unix script command 
or Telnet/SSH session logged to a file. 

Use message digests to preserve the Videotaping. 

integrity of the original copies of all log 

files, and perform investigations on . Resolve all IP addresses to obtain their 

duplicate copies associated canonical names so that both 
the IP addresses and names are available at 


Cross comparison of the log files can a later dates even if the name is changed in 
provide a rich source of evidence the domain name system. 


Collecting Evidence on Network Collecting Evidence on Network 


3. Use SNMP to obtain information from 6. Encrypt and digitally sign all evidence 
routers and firewalls. files to preserve the integrity. 


Take printscreen with date and time from . Seek and collect corroborating 


a trusted time source. information from multiple independent 
; sources. 
Use traceroute to document the location 


of the host being accessed. . Access log entries in the IDS. 


Query the DHCP server. 





Log Analysis Network Traffic Reconstruction 


¢ Look for traffic anomalies * Itis not feasible for an examiner to 
comprehend all traffic by viewing its hex 
* Look for traffic originating from or representations. 
terminating on the compromised machines 
¢ Examination tools are required to 
reconstruct the packets and display them in 
traffic a way that facilitates analysis. 


¢ Look for broken or unusual patterns in the 


Network Traffic Reconstruction Network Traffic Reconstruction 


— mailsnarf and webspy can reassemble and — review (security @net.ohio -state.edu) can 
display application layer data in real time, process the original binary data in a tcpdump 
providing an effective way to monitor an log. By piecing together TCP packets and 
individual’s online activities. extracting the original payload, it is possible to 

obtain files that the intruder downloaded from 

— NetWitness (www.forensicexplorers.com) has or uploaded to a system. 
the capability to capture traffic (or read a 
tcpdump file), reconstruct session, display 
content in real time and analyze the traffic. 


Routers NetFlow 


¢ Routers can be configured to keep traffic- ¢ A growing number of routers have NetFlow to 
related logs. improve routing performance. 


— However, routers are often configured with ¢ When the NetFlow feature is enabled, routers 


minimal logging to conserve storage space on record detailed information about each flow 


the central server. : : 
— Current time according to the router 


— Start and end times of the flow 


— Source and destination IP addresses and ports, IP 
protocol type, number of packets and bytes in the flow. 
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NetFlow NetFlow 


¢ If the system is compromised, NetFlow logs 


Once the source of the attack is known, 
will show 


NetFlow logs can be searched for other 


machines on the network that were targeted 
— The source of the attack by the attacker. 
i EClce ls used ¢ NetFlow packets are exported when a flow 
ends, resulting in a log files with entries 
sorted by flow end times. 
— Amount of data transferred 


— Ports accessed 


— Sort NetFlow logs using the start time of each 
flow before attempting to interpret them. 
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NetFlow NetFlow 


¢ NetFlow record does not indicate which 
host initiated the connection, it only 


indicates that one host sent data to another 
host. 


¢ NetFlow records exported from a router are 
encapsulated in a UDP datagrams 


— Some of the records may not reach the intended 


logging server. Thus, the logs may not be complete. 
— Therefore, it is necessary to infer which host 


initiated the connection. — Newer NetFlow records contain a sequence number 


that can be used to determine if any records are 
— Sorting the relevant flows using their start times missing or if forged records have been inserted. 
to determine which flow was initiated first. 


NetFlow Dialup Server 


¢ NetFlow records are sometimes exported 


When an individual dials into the Internet, 
before a flow is terminated. 


there are two forms of evidence at the ISP 


~ Thus, a single flow may cause several flow — The contents of the terminal server’ s memory 
record to be created. 


: — The logs from the associated authentication 
— In this case, several flow records may have to 

be combined to determine the amount of data petvers 

transferred or duration of the flow. 





Dialup Server 


¢ The TACACS authentication system 
keeps records of the time, user name, 
terminal server and port, and IP address 
for each login and logout event. 


TACACS assigns code requests dealing 
with SLIP connections 

— LOGIN (Type=1) 

— LOGOFF (Type=7) 

— SLIPON (Type=9) 

— SLIPOFF (Type=10) 


Dialup Server 


¢ The logs from RAM can be collected using 
the show logging command. 


¢ Each log entry contains the 
— Date and time 
— Facility code 
¢ SEC, SYS, SSH, BGP 
— Severity 
— Message 


Pen Registers 


¢ A pen registry is a device that is physically 
attached to a target phone line. 
¢ It records all of the numbers that are dialed 


through that line with the time and duration 
of the calls. 


¢ It provides a complete record of incoming 
and outgoing phone calls for the suspect. 


Dialup Server 


* Restrict the modem pool to authorized users 
by requiring users to authenticate with a 
user name and password when they connect. 


¢ The TACACS logs can then identify the 
account that was used to authenticate access 
to the modem pool. 


Dialup Server 


¢ The show history command can be used to 
list the commands executed during the 
examination. 


Phone Tracing 


Requesting a phone company to trace an 
intruder presents a problem when dealing with 
a modem pool 


— Many phone circuits are associated with a single 
dial-up number 

— Need to correlate the phone traces against the 
modem pool authentication logs and match phone 
calls against login sessions. 

— Event lag and clock offset complicates correlating 
the authentication logs against the phone traces, 
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Phone Tracing 


¢ Phone switch records 
— Server = Terminal server name 
—Line =Porton the terminal server 
— Slip = DNS name for the IP address 
associated with that port. 


This information can help trace an IP address to 
a specific terminal server/port and to a unique 
circuit id, span, channel and trunk for the phone 
company to trace the circuit in real time. 


Network Traffic 


¢ When a hub is used, communication between 
machines on the same network is visible to all 
machines connected to the hub, making 
eavesdropping very simple. 


¢ When a switch is used, communication between 
machines is not visible to all computers on the 
subnet. However, 
— ARP proxying can be misused to intercept traffic 
— dsniff (naughty-monkey.org/~dugsong/dsniff) 447 


Network Sniffer 


— Timestamp options 
ed Delta Time since receiving the previous datagram 
¢a Absolute Clock time 
¢r Relative Time relative to the first datagram displayed 


— The absolute time is usually desirable because it can 
be easily compared with timestamped information 
from other sources. 


— The -p option can be used to display time relative to 
any selected datagram. 
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Network Traffic 


To monitor network traffic, sniffers decode 


datagrams and display them in an easy-to-read 


format. 


Etherpeek (www.etherpeek.com) provides 
several views of captured traffic 


— It shows the raw data, the decoded data, and 
interpreted view showing what the data represent. 


— Etherpeek can also be configured to generate an 
alert when traffic matching specific criteria is 
detected. 
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Network Sniffer 


Snoop is network sniffer installed by default 
with SunOS/Solaris. 


Entries in the snoop are not time-stamped. 
— The -f option is required to timestamp entries 


— Timestamps are accurate to within 4 
microseconds. 


Capturing TCP Packets 


tcpdump (www.tcpdump .org ) can be 
installed on most versions of Unix and has 
been ported to Windows. 


tcpdump can also be used to capture UDP 
datagrams . 





75 


Capturing TCP Packets Capturing TCP Packets 


* tcpdump only captures the first 68 bytes of a * tcpdump represents TCP flags as follows: 
datagram by default —S SYN Synchronize sequence numbers, 


— To collect more information, set a larger snaplen establish connection 


value using the —s option. —F FIN Terminate connection 
— Using a larger snaplen increase the chance of ~R_ RST Reset connection 
overloading and losing datagrams —P PSH Push data, do not buffer before send 
-. No flag set 
¢ Filters can be used to reduce the amount of 
information that tcpdump collects. 


Examining TCP Logs Examining TCP Logs 


1. tcpdump can contain the complete . Use review (security @netohio -state.edu) 
contents of all network traffic for each of as a graphical user interface to browse the 
the sessions, including the data portion of tcpdump log 
the packets. 

Look at the summary of the contents of a 
Use the filtering expressions in the single log, view the contents of sessions 
tcpdump to pull out packets of interest within a log and replay the contents of 
from the total log based on the selected sessions to see an ‘intruder’s eye 
examination of the packet headers. view’ of the log contents. 


Merging Logs X Windows 


¢ There are some hosts where network traffic Event structures ¢ Request structures 
goes out through a router and returns through 


— Keystroke —Draw lines 
the second (due to asymmetric routing). 


— Mouse movements —Clear regions 
This can also be an issue where there are — Mouse button clicks —Change fonts 
multiple SMTP servers and for Web proxy 

servers. 

Result structures 


Sometimes, 1t 1s necessary to merge several — Response to the requests 


logs together to reconstruct a complete record 
of thenetwork activity. 


455 





X Windows Accessing Unix Log Files 


* xterm sessions in tcpdump logs are recorded Most log files in * To view log files 
in non-human readable binary structures — /usr/adm 


— /var/adm 


— vi 
— more (syslog) 
¢ A special graphical user interface, e.g. ~ /Wvarllog — who (utmp) 
review, is necessary to pull out the —/etc — last (wtmp) 
keystrokes in the xterm sessions= 


Accessing Unix Log Files Accessing Unix Log Files 
* acct or pacct * loginlog 
— Accounting logs contain commands typed by — Records failed logins 
every user 


* Aculog 


* sulog 
— Contains a record of when modems were used 


: — Records every attempt to log in as the 
to dial out administrator of the computer (root). 
* lastlog 


— Contains a record of each user’s most recent 
login or failed login 


Accessing Unix Log Files 


Accessing Unix Log Files 


* messages or syslog 


* wtmp and wtmpx 
— Main system log file containing wide range of 


— Contains a record of errors that are encountered 
messages from various applications. Routers when accessing external media 
and firewalls can be configured to add their Fil din /ot 
messages to this file. = EUS Saved Meee 
* utmp and utmpx * xferlog 
— Contains records of all users currently logged — Contains records of all files transferred from a 
into a computer. 


computer using the FTP 
— File saved in /etc 





syslog 


Jan 1 23:45 mycomputer sendmail[11668]: “debug” command from 
hacker.dhp.com (199.245.105.25) ss racker IP address 
Jan 1 23:45 mycomputer sendmail[11668]: “wiz” command from 
hacker.dhp.com (199.245.105.25) 

Jan 1 23:46 mycomputer sendmail[17936]: TAA17936: ruleset=check_rept, 
arg=someone@hotmail.com, relay=08-162.015.popsite.net [207.240.169.162], 
reject=550 Dial in connection [ff Source of junk mail 
<2 freeto@flashmail.com>...Relaying denied 

Jan 1 23:47 mycomputer sendmail[17936]: TAA17936: 

from=smoke @www.lg.co.kr, 


size=0, class=0, pri=0, nrepts=0, proto=SMTP, relay=08-162.015.popsite.net 


syslog 


Jan 1 23:48 mycomputer rshd[7373]: connection from 199.245. 105.25 onillegal port 2066 

Jan 1 23:48 mycomputer ftpd[7375]: connection from hackerdhp.com 

Jan 1 23:49 mycomputer login[7593): failed 2@ hackerdhp.com as + 

Jan 1 23:49 mycomputer login[ 7595]: failed ?@ hackerdhp.com asbin 

Jan 1 23:50mycomputer login{7596): failed ?@ hackerdhp.com asdaemon 

Jan 1 23:50mycomputer login[7597): failed ?@ hackerdhp.com asp Trial and 
error 


Jan 1 23:51 mycomputer login[7599]: failed ?@ hackerdhp.com asnuuep ; 
login 


Jan 1 23:51 mycomputer login[7600}: failed ?@ hackerdhp.com as root attempts 


Jan 1 23:52mycomputer login[7604]: failed ?@ hackerdhp.com asuser 
Jan 1 23:52mycomputer login[7605}: failed ?@ hackerdhp.com asuuep 

Jan 1 23:53mycomputer ftpd[7654]: connection from hackerdhp.com 

Jan 1 23:53mycomputer telnetd{7653]: connection from hackerdhp.com 

Jan 1 23:54mycomputer rshd[7652]: connection from 199.245.105.25 onillegal port 4128 


Remote login attempts 


[207.240.169.162], reject=550 someone@hotmail.com....Relaying denied 


Cautions When Accessing Unix Logs Cautions When Accessing Unix Logs 

* Onsome UNIX systems, wimp and utmp 
files truncate the source host name for 
remote login sessions to some limited size. 
— This obscures the source host name if it is long. 


¢ Accounting records only contain the name 
of the binary that was executed and not the 
full path name to the file. 


¢ Need to search all attached file systems for 
¢ One approach to addressing this problem is executable files with the same name. 
to modify the /Jast command to display full 


hostnames. 


Cautions When Accessing Unix Logs 


Cautions When Accessing Unix Logs 


¢ In shell scripts, the name of the interpreter 
for the script is recorded, but the name of 
the script is not recorded. 


¢ Shell history files are typically owned by 
the account whose activity they record, and 
so are subject to editing and erasure. 


¢ The name of the executable can be inferred i P : 
based on the shell history files and by ¢ Shell history is also written when each shell 


examining the user’s PATH environment exits, so overlapping shells can obfuscate 
variable settings. the record. 





Cautions When Accessing Unix Logs Accessing WinNT Log Files 


¢ The syslog timestamp that appears on the entries Log files in 


in the log files is the time that the entry was — Ysystemroot %\system32\config\ 
received by the local machine according to its vara 

own clock, not the clock of the machine that the Cun ien Nog 
log entries come from. 

appevent.evt - log of application usage 


This can cause confusion if the examiner tries to secevent.evt - log of security related activities 


correlate those log entries to other events from 
the original host, since there may be a clock syseventevt - log of system events 
offset between that host and the syslog host. 
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WinNT State Tables Log of TCP/IP Connections 


Log of current and recent connections only! neds u 
netstat —f inet lists all TCP/IP connections 


Date Time Source Category Event User Computer 

1/23/00 10:10:02 AM Security Systen! Event 515) SYSTEM ORGO Dial up connections 

1/23/00 10:09:02 AM Security Privilegeuse 577. SYSTEM ORGO 

1/23/00 10:07:02 AM _ Security Logon/Logoff 528 | ANONYMOUS ORGO TCP Local Address Remote Address State 

1/23/00 10:07:02 AM Security Logon/Logoff 528 | ANONYMOUS ORGO Security 

WARIO: WOME LE of UAREOUUS SEE eee) ED Log www.forensic-science.com.telnet 23 .oakland-01.ca.world.net.2048 Established 

1/23/00 10:05:02 AM _ Security Logon/Logoff 538 — eco3 ORGO a : z 

1/23/00 10:04:33 AM Security Privilege use 576 eee ORGO. www.forensic-science.com.telnet sdn-ar-004njnbruP047 dialnet.1754 Established 

1/23/00 10:03:02 AM __ Security System Event 529 SYSTEM ORGO. www .forensic-science.com.80 dial55175.mru.ru.1084 Established 
www.forensic-science.com.80 proxy -354.public.net.43883 Time_Wait 
www .forensic-science.com.80 line1.old.net.4667 Fin_Wait_2 

1/23/00 10:10:10AM NETLOGIN None 5719 N ORGO 

1/23/00 10:09:11AM_— EventLog None 6006 N ORGO System 


1/23/00 10:08:12AM —Dhep None 1005 N ORGO Log Web connections 
1/23/00 10:06:13 AM Serial None 6007 N ORGO 
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Forensics in the Datalink Layer Forensics in the Datalink Layer 


¢ The datalink and physical layers are the ¢ Datalink layer addresses (MAC addresses) 
richest sources of digital evidence are more identifying than the Network layer 
addresses (IP addresses) 
¢ Datacaptured using a sniffercan be very 
useful in — A MAC address is directly associated with the 


Network Interface Card in a computer 
— Reconstructing a crime 


— An IP address can be easily reassigned to 


— The accuracy of the entries in the logs is based different computers 


on the confirmation that they have not been 
manipulated 





ARP Cache 


¢ The Address Resolution Protocol is used by 
routers to map an IP address to the MAC 
address of a particular computer 


¢ The ARP cache on a computer or router can 
be retrieved using arp —a 


Intrusion Detection System 


¢ Snort (www.snort.org ) inspects traffic and 
only stores data that are suspicious. 


¢ The IDS keeps a log of attacks at the 
network level, allowing the examiner to 
determine the attacker's IP address. 


Reliability of Logs 


¢ Logs vary in the degree to which they can 
be relied upon to be accurate. 


— utmp and wimp logs on some UNIX systems 
are world writable 


— Any user can modify their contents. 


ARP Cache 


¢ The ARP cache does not keep permanent 


record and must be examined shortly after 
the connection has occurred 


Some routers can be configured to detect 
incorrect IP addresses to identify computers 
that have been purposefully reconfigured to 
hide the user’s identity 


Intrusion Detection System 


Unlike tcpdump, Snort can 

— Inspect the datagram payload 

— Decode the application layer of a datagram 

— Compare the datagram contents with a list of rules. 
— Configure rules to detect specific types of datagrams 


— Reassemble fragmented packets before checking 
them against known attack signature 


— Capture the entire binary datagram and store it in a 
tcpdump format. 


Reliability of Logs 


The reliability of the logs is dependent on 
the integrity of the systems that generate the 
logs. 

— If those subsystems have been compromised or 


replaced, the logs that they generate may not be 
a complete or accurate portrayal. 





80 


Reliability of Logs 


¢ The accuracy of the logs is also subject to the 
security of the network protocols used for 
transporting the messages. 


— syslog and NetFlow logs are both sent using UDP. 


— The logs can be incomplete. 


— It is relatively easy to create false entries by 
directing carefully crafted UDP packets with 
spoofed source addresses to the log servers. 


Time-Related Issues 


¢ Most log files include some sort of time 
stamp which can be used to correlate entries 
from several logs against one another. 


¢ One common problem is that the clocks on 
those hosts may not be synchronized. 


¢ It is also important to know the time zone 
that each log was recorded in. Unfortunately, 
the timestamps in many logs do not include 
the time zone. 
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Time-Related Issues 


¢ Since the amount of lag is often variable, 
events should not be correlated specifically 
by starting time or even duration, since the 
session in the network traffic log would last 
longer than the login session. 


¢ However, most of the log entries associated 
with a login session on a host should fall 
within the start and end times of that session. 
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Reliability of Logs 


¢ Guard against the dangers of incomplete or 
incorrect logs by correlating events from as 
many sources as possible and account for 
discrepancies between the logs. 


Time-Related Issues 


¢ Event lag is the difference in times between 
related events in different types of logs. 


— There can be significant event lag between the 
start of a phone connection and the start of an 
authenticated session on the modem pool. 


Time-Related Issues 


¢ Sometimes logs are created in order of the 
ending time of a session, instead of the start 
time and this can lend further confusion to 
the correlation process. 


— Log entries for NetFlow logs are created when 
the flow of traffic ends. 


— UNIX process accounting logs are created when 
the associated process ends. 
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Time-Related Issues 


¢ Since the ending events often match up more 
closely in time, it is advisable to use the end 
time of a session for making correlations 


* It is also trivial to leave a process running in 
the background so that it will persist after 
logout (using nohup), in which case its 
process accounting records will not be 
bounded by the login session. 


Forensics on the Internet 


¢ Investigating criminal activity of the 
Application layer 


— Web Browser 
— Email 

— Usenet 

— IRC 


Email Forgery 


> HELO Fake.message.com 
> MAIL FROM: fake @spoofedaddress.com 

> RCPT TO: you@emailaddress.com 

> DATA Forging an email on SMTP 


Subject: Spoofed Email (Simple Mail Transport Protocol) 


Date: date and time stamp 1 
This is a forged message. 
> QUIT 


Date: date and time stamp 1 
From: fake @spoofedaddress.com 
To: you@emailaddress.com 
Subject: Spoofed Email 


Message at Recipient 


This is a forged message. 


DNS Problems 


¢ Intruders can steal domains, poison the caches on 


DNS servers, or inject false information into 
address/name lookups. 


Many subsystems resolve the IP addresses that 
they know into names using DNS and then only 
log the resolved names which may not be correct. 


Thus, it is necessary to log messages with both the 
IP addresses and the resolved names. ae 


Forged Emails 


Email clients can be configured with false 
information when communicating with the MTA. 


The trusted Mail Transfer Agent is then exploited 
to relay the forged mails. 


Forged Trusted Mails with Spoofed 
Email MTA Sender Identity 


Email Tracing 


time stamp | time stamp 2 


Sender MTA 1 MTA 2 Receiver 


Received header of Email show Mail Transfer Agents along the route taken by the message 


Received: from trustedmta.com by yourmailserver.emailaddress.com 
(5.61/1.34) Id AA1404; date and time stamp 2 

Received: from fake.message.com (corpus. delicti.com [207.244.93.93]) Real Sender 
by trustedmta.com (8.8.5/8.8.5) with SMTP id VAAO1050 for 

<you@emailaddress.com; date and time stamp 1 

Date: date and time stamp 1 

Message-Id: <19970707070121.VAA01050@trustedmta.com 

From: fake @spoofedaddress.com 

To: you@emailaddress.com 

Subject: Spoofed Email 
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Tracing the Sender 


Don’t be fooled by a fake sender email account 


Information from Received Header 
Domain Name 
IP Address 


Find Real Sender 
Location 


Identity 
Intentions 


Usenet Tracing 


Path: news. corpusdelicit.com!plne!extra. newsguy.com! 
News lotsanews.com!news. maxwell. syr.edu! newsfeed. wli.net! 
server su-newshub 1 .bbplanet.com!newsbbnplanet.com!newsfeed. 
path concentric.net! master0.news.internet.net!abe !net 

From: nobody (nobody@hotmail.com) Check Jog of this node 
Newsgroup: alt.abuse 
Subject: Spoofed Article 
Date: date and time 
Organization: Nobody’s Home 
Message-ID: 8pF762$Flg@ masters0.internet.net 
Reply-To: nobody @hotmail.com Forged sender information 
NNTP. Posting- Host: cheat.usenet.com 


X-Trace: SOLAIR2. masters0.internet.net 922191688 24958.199.166 


Dial up connection 


IRC Tracing 


¢ /whois nickname 


— Uses a person’s IRC nickname to get the person’s 
email address, chat channel, IRC server chatting on, 
IP address. 


¢ /whowasoldnickname 


— To obtain logged information from the IRC server’s 
temporary cache if the culprit leaves the IRC or 
changes his nickname 


¢ /who *domain-name* or *pen-name* 


— Searches subnet for any information associated with 
the culprit a 


Usenet Forgery 


> GROUP: alt.abuse 
> POST 
Subject: Spoofed Article 
Path: abc!net 
From: nobody @hotmail.com 
Newsgroups: alt.abuse 
This is a forged message. 
> QUIT 


Path:news. corpusdelicit.com!plne!extra.newsguy 
.com!lotsanews.com!news. maxwell. syr.edu!news 
feed. wli.net!su- 


newshub].bbplanet.com!Newsbbn. 
planet.com!newsfeed.concentric.net!master0.new 
s.internet.net!abe!net 

From: nobody (nobody @hotmail.com) 
Newsgroups: alt.abuse 

Subject: Spoofed Article 

Date: date and time 


Message-ID: 8pF762$Flg@masters0.internet.net 
NNTP: Posting- Host: cheat.usenet.com 


Forging an article on NNTP 


(Network News Transport Protocol) This is a forged message. 


Message at Posting Host 


IRC Tracing 
2 main problems 


¢ Communications are transient and hence not archived 


¢« Communications can also bypass IRC network once 
Direct Chat Mode (DCC) or file server (fserver) is 
established. 


— IRC clients send information directly to IP address of 
opposite party 


Identifying the Intruder 


. Log all packets related to a particular logon 
session. 


Invoke tcpdump on the targeted host on login 
and terminate on logout and log all actions to 
a history file. 


Track the channel the intruder typically 
hungs out on to the account used for 
authentication, and map to the compromised 
account and IRC nicknames. ae 
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Identifying the Intruder 


Monitor suspicious activities such as 
— Several different people connecting to IRC 
through the compromised account 


— Multiple simultaneous logins 


— Use of accounts for people who were no 
longer affiliated 


— Intrusion and denial of service attacks 


Digital Evidence on the Internet 


¢ Seizing evidence directly from the remote 
servers is sometimes impossible 


¢ Ensure that evidence collected from the 


Internet is authentic and not modified 
during transmission 


‘This slide is intentionally left blank 


Digital Evidence on the Internet 


¢ Digital evidence is often stored on remote servers 


¢ The evidence can be stored in many different 
places to complicate search 


¢ Creating a cohesive reconstruction can involve a 
large amount of evidence from a wide variety of 
sources: 

— Phone traces, pen registers, NetFlow, tcpdump logs, 


authentication logs, victim host logs and host based 
evidence son 


Digital Evidence on the Internet 


¢ Web browser, email clients, newsgroup 
activity and log files on the local computer 
also keeps records of the pages visited, 
copies of emails and live chats 


* Do not change file names for documentary 


purposes or edit contents of files to make 
them more readable 


This slide is intentionally left blank 
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Section 10 


Forensics on an 
Unknown Program 


Analysis Tools 


¢ Program file analysis tools 
— strings shows clear-text strings embedded in any file 
— grep searches for specific strings 
— file identifies file content by looking at part of the 
data 


¢ General file analysis tools 
—nm displays compiler and runtime linker symbol table 


— Idd identifies dynamic libraries used 
— disassemblers, debuggers 


Clues from Symbol tables 


Compiler symbol table reveals internal procedure names 


% nm-pa 

0000077448 T nfsproc_getattr_2 
0000078888 T nfsproc_create_2 
0000079428 T nfsproc_link_2 
0000077988 T nfsproc_lookup_2 


Run-time linker symbol table reveals calls of external shared library routines 


% nm-Dua 
perror 
pmap_getport 
pmap_rmtcall 
printf 

qsort 


Identifying an Unknown Program 


Run the program, see what happens. 

— What if the program turns out to be destructive? 
Run the program on a sacrificial machine. 

— What if the program depends on specific 

machine features? 

Static analysis of program file 

— Slow, but hopefully safe. 

Details will be somewhat operating system 
specific 


Identifying an Unknown Program 


%Is-la 

atwxexr-x | wietse staff 67724 Jul 24 18:21 a An executable program 

% file a 

a: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, not stripped 


Not stripped, so a lot of compiler information is still available 


Finding Exploit Code 


A combination of: 

— MAC time 

— unrm 

— grep program files for source code 


Standard Unix tools 

Reconstructing mail files 

Text-based log files 

Correlator (binary, repeating logs, etc.) 
File sanity checking 
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Embedded Strings 


% strings - a 
- umount remote file system export 

- show all exported file systems umountall 

- umount all remote file systems umount 
[-upTU] [-P port] <path> - mount file system 
mount 

<local-file> [<remote-file>] - put file 
<uid>[.<id >] <file> - change owner 

chown 

<mode> <file> - change mode 

chmod 

<dir> - remove remote directory 

rmdir 

<dir> - make remote directory 

mkdir 

<filel> <file2> - move file 

<filel> <file2> - link file 

<file> - delete remote file 


Eradicating Network Traces 


It is virtually impossible in most cases for 
the intruder to eradicate network traces 

— Don’t know where data was saved 

— Must determine where data flow went 

— Compromise all routers, hosts, etc. 


— Destroy all information there, plus recursively 
follow this list 


Gathering Information 


¢ System configuration 

¢ System and user programs 

¢ System and kernel memory 

¢ Raw memory & disk 

¢ Anything with IP #/hostnames 


Backdoor Service 


¢ Stand-alone telnet server 
¢ Bypass TCP wrapper and system login procedure 


% telnet victim 5120 
‘Trying 131.155.210.17. 
Connected to victim. 
Escape character is” “]”. 
password 

SunOS UNIX (victim) 
victim# 


telnet portd she 
Intruder : — 
client server process 


Compromised machine 512 


Network Sniffing & Spying 


IDS often ineffective by themselves 


Useful for damage control, not for data 
recovery 


Best as standalone monitoring system 
Requires lots of storage for complete traffic 


Must protect the system(s) doing the 
sniffing and storing data 


Encrypted or hidden connections a problem 


514 


System Configuration 


Enter into the realm of auditing 

Invisible changes 

Freezing system should gather most of this 
Need to know how system should look like 
Kernel 

Packet filters 
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P. 
System Configuration rograms 


Access control * Queries to system * Logs 

— hosts.allow, httpd.conf, sshd_config — netstat — Syslog 
Trust — arp — NFS 

— servers, rhosts, network information — Isof _NIS 
Configurations 

— routes, inetd.conf, startup files 
Protocols 

User 


— .rhosts, .forward) 


— portscanners — DNS 


¢ Program memory — Kernel 


Show Net Status Portscanners 
Active Internet connections (including servers) 


PSN MEU PET * % tcp_scan <udp> 1I-1024 
Protocol R-Q S-Q Local Address Foreign Address State 2 1 ' ft 

tcp 0 0 flying.smtp 192.215.43.108.4778 EST =A : tp 

tcp 0 flying.hup dialup6929.nssl..2787 EST 


0 
tcp 0 0 flying.smtp 192.215.43.108.4769 WAIT — 23: telnet 
0 


tcp 0 flying.http telapex..2198 SYN_RCVD 


— 25: smtp 

% netstat -rn . 
Destination Gateway Flags Refent Use Interface = 53: domain 
127.0.0.1  127.0.0.1 UH 1 1365 100 ‘ 

default 209.179.181.129 UG 17 2089112 le = 5 15: printer 


— 667: unknown 


Routing tables 


Data Binding TCP Wrapper Alert 


Keeps track of every query of host ¢ Suspicious activity at some unlikely hour 
Send a passive signal to bind Feb 13 23:09:52 wsbs06 in.fingerd{15900]: connect from lock @wsbs03 
Dumps database into named_dump.db 


Compare system logs, known hosts * Screen saver accounts don’t finger around at 
—use TTL vs time left in memory midnight. 


* Suspect screen saver account compromised 


522 





Compromised Root Account Suspicious Process 


# psaux 
Feb 13 23:05:34 wsbs01 in.fingerd[7948]: connect from root@wsbs03 USER %CPU %MEM SZ rd STARTTIME COMMAND 
Feb 13 23:05:35 wsbs06 in.fingerd[15895]: connect from nobody @wsbs01 root 0.0 0.0 1 Jan 14 0:01 swapper 
root 0.0 © 0.0 ; Jan 14 0:00 Abin /init - 
root 0.0 0.0 Jan 14 0:00 pagedaemon 
root 0.0 §©0.0 16 ? Jan 14 0:00 (biod) 
root 00 800 68 ; Jan 14 0:00 portmap 


# finger @ localhost @ wsbs06 @wsbs01 root 0.0 0.048 2 23:02 0:00 <defunct> 


wsbs06 wsbs01 wsbs03 


Feb 13 23:05:36 wsbs06 in.fingerd[15897]: refused connect from nobody @localhost 


Process name: misleading to hide real purpose. 
Process start time: matches time of incident. 
Process privileges: super-user 


ps incantations (BSD) Ps incantations (System V) 
Basic listing 


# ps ax 


PID TT STAT TIME COMMAND AIP 
UID * STIME TTY TIME COMD 
152 pO s 0:00 -csh (csh) 


wietse 12:57:58 pts 0:00 -esh 
883 pd R 0:00 ps ax wietse 13:00:43 pts/0 0:00 ps-ef 


# ps -ealf 
Command and environment listing FS UID PID > PRI NI ADDR SZ WCHAN STIME TTY TIME COMD 

8S wietse 9157 41 20 fe52bec0 218 feS2be90 12:57:58 pts/0 0:00 -esh 

# ps auxeww 8 O wietse 9204 55 20 fc52b000 173 13:13:03 pts/0 0:00 ps -ealf 

USER PID %CPU %MEM SZ RSS TT STAT STARTTIME | COMMAND 

Wietse 152 0.0 15 56 212 po $s 09:12 0:00 ~csh 

HOME=/home/wietse USER=wietse LOGNAME=wietse PATH=/bin:/usr/bin 

fasrhieb : fasr/bin/X1 1 :Atsr/local/bin:Asr/local/bin 

MAIL=Kar /spool/mail/wietse SHELL=/binésh TERM= xterm (csh) 


List Open Files and Connections 


#lsof-p 12823 fip://vic.cc.purdueedu/pubstoolshsof 
COMMAND PID USER ‘I TYPE DEVICE SIZE/OFF INODE 

<defunct> 12823 root ewd ~VDIR 7, 22 1024 868362 

<defunct> 12823 root VREG 7,22 32768 868676 a This slide is intentionally left blank 
<defunct> 12823 root VREG 7,6 24576 139429 

<defunct> 12823 root VREG 7,6 516096 139397 

<defunct> 12823 root VREG 7,0 4096 14951 

<defunct> 12823 root VREG 7,6 40960 139492 

<defunct> 12823 root inet Oxff64b50e 0x0 TCP #35120 


The intruder had left behind a process running with super- 
user privileges that listened for incoming connections on 
TCP port 5120. This process looked like a privileged 
backdoor However, the executable file itself had been 
deleted. 





Reconstruction of User Activity 


Section 11 


¢ Reconstruct what was typed 
: Determine what happened 
Forensics on 


. anise Determine the damage done 
Intrusion Activities ; 
Determine what files are used 


Correlation is the key 


What to Trust What to Trust 


When a machine has been compromised, ¢ Modifications to application program and 
all information that comes from the data files can be detected relatively easily 
machine must be treated with extreme by comparing the files on the system 
suspicion against a known -to-be-good baseline. 


¢ Toolkits for UNIX achieve stealth by 


Intruders routinely replace system utilities modifying a running OS kernel on-the-fly 


such as Is, ps and netstat with versions that 
are modified to hide the presence of ¢ Kernel-level modifications can be much 
backdoor programs harder to detect 


Unmistakable Rootkit Signature Tools & Methods 


¢ Finds trojan versions of command file 
— find/ -type f-print | xargsmd5 >file : 

edu (hide sniffer, logs, and configuration files) Shell history 
* ifconfig (hide sniffer activity) Process accounting 
¢ login (backdoor) . 
els (hide sniffer, logs, and configuration files) Log files 
¢ netstat (hide intruder network connections) MAC times 
* ps (hide sniffer process) 


Network sniffing 


¢ Plus what turns out to be configuration files, 
programs, and a network sniffer logfile with 
login/password information. os 





Contents of a Forensic Toolbag How and What to Grab 


— Statically linked data collection Take the system offline 


tools Keep track of everything you type or do 


vad ep, cal ts Grab first, analyze later 
— Mechanism to get more tools or Note hardware, software, system configuration 
stash data Automation is necessary (time & consistency) 
° fip Follow order of volatility 
Make copies (including tools) to safeguard them 
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Collecting Evidence List Open Files and Connections 


¢ Gather in order of lsof command 


— Memory * (vic.cc.purdue.edu/pub/tools/Isof) 

— Unallocated filesystem what files a process executes 
what files a process accesses 

— netstat, route, arp what network connections a process uses 

the current directory 

the internal inode number 

— Config, log, interesting files such as cron, at the name of the filesystem from which the file 
originated 


— ps, capture all process data 
— stat & MDS on all files, strings on directories 


Processes Disk Stuff 


Capture state & binary 
— ps 
— /proc 


¢ NFS/Net data handled at server 
—dd all filesystems (if possible) 
—stat & MDS all files 
— peat 


—strings on directories 
tay —Capture logfiles, sys configs, important files 
—Kernel, dumps, corefiles 





Log files Freezing an Attacker’s Process 


Network logs ¢ Do not connect to the port 
TCP wrappers — Bad things might happen 
¢ Do not terminate the process 
Daemon logs — All information would be lost 
¢ Suspend the process 
— kill terminates the process 
: — kill -STOP suspends the process 
Accounting logs — kill CONT resume the suspended process 
¢ Checking the result 
— # psax|grep T 


Programs logs 
Kemel logs 


Program Analysis Program Analysis 


¢ Static Analysis 


— Studies a program without actually executing it 


¢ Dynamic Analysis 
— Study a program as it executes 
— Disassemblers, decompilers, source-code 
analysis tools, strings and grep commands 


— Can reveal how a program would behave under 
unusual conditions 


— Impossible to fully predict the behavior of any 
nontrivial program 


— Debuggers, function call tracers, machine 
emulators, logic analyzers and network sniffers 


— Analysis is fast and accurate. However, what 
you see is all you get 


— Difficult to make a nontrivial program traverse 
all the possible paths through its code. 


Program Analysis 


Program Analysis 


¢ Black Box Analysis 


* Postmortem Analysis 
— Dynamic analysis without access to program — Study of program behavior by looking at the 
internals 


after-effects of program execution 


— Often the only tool available after system 
intrusion 


— Only observables are the external inputs, 
outputs, and their timing characteristics. 


— Can include power consumption and 


— Some information disappears quickly as normal 
electromagnetic radiation 


system behavior erodes away the evidence 





Process Memory Map 


Program code and constants (from program file) 
Program variables (saved in core dump) 


Direction of growth of stack segment 


Shared library code and constants (from lib. files) 
Shared library variables (saved in core dump) 


Direction of growth of data segment 
Stack (saved in core dump) 


Capturing Process Memory 


* pcat dumps the entire memory of a process 
to file, including code, data, heap, libraries 
and stack 

# peat 12832 > pcat.12832 


To dump all memory of process 12832 


¢ Result can be examined with unstructured 
tools such as strings, binary editor 


File Accessible by Inode Number 


° # ils device 
— List removed files (inode unallocated and/or refcount 0) 


# ils -o device 
— List removed open files (inode allocated but refcount 0) 


# ils -l device 
— Existing and removed files (inode allocated/unallocated) 


# ils device inode 
— List specific inode 


# icat device inode >file 
— Access file content by inode number 


Memory Map 


© # dd </devkmem> output 
© # dd < /dev/mem > output2 


© # dd < /dev/rswap > output3 


Examining the Memory 


* Use ps or Isof to locate program 
— pcat 123 | strings > 123.mem 


¢ grep ‘[host/IP pattern]’ 123.mem 


¢ Use strings and less to examine further 


Capturing Program File 


* icat retrieves file associated with device 
name and inode number. 

* Recover deleted but still open or running 
files. 


# icat <device>/dev/rsd2g 868676 > 868676.out 


To save contents of file < pid> 868676 on <device> /dev/sd2g 


* Result can be examined with standard 
debuggers and with unstructured tools such 
as strings, binary editors 
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Capturing Process Data 


* gcore is a standard utility program that takes 
a snapshot of the process data and stack but 
not of the program code 


* gcore creates core dump checkpoints of 
variables and stack 


* gcore is not available on LINUX 


Examination with strings 


# strings core.12832 | more 
Error: cant open file 
kill 

Error: cant open file 
%s not found 

bad port %s 

Trying %s... 

telcli socket 

:) %s port %d... 

esh -bif 

exec Activities of process 12832 
parstuvwxyzPQRST 
Idev/ptyXX 
Idev/pty 

Idev/ptyp 
0123456789abcdef 
/bin/csh 

/dev/ 

/dev/tty 

fork 

/bin/csh 

telnetd: %s. 


Capturing Process Information 


¢ Process Attributes 


Solaris FreeBSD LINUX 
Program file /proc/pid/object/a.out /proc/pid/file /proc/pid/exe 
Process memory /proc/pid/as /proc/pid/mem /proc/pid/mem 
Memory map /proc/pid/ap /proc/pid/map /proc/pid/maps 


Capturing Process Data 


¢ The output from gcore is in the form of a 
core dump file 


¢ Result can be examined with standard 
debugger tools, unstructured tools such as 
strings, binary editors 


Core dump checkpoint for process 12832 


# gcore 12832 

gcore: core.12832 dumped 

# Is -l core.12832 

-w-+r-r- | root 8421808 Feb 24 09:29 core.12832 


Capturing Process Information 


/proc filesystem provides process information on 
executable file, current directory and process 
memory. 


Entries in /proc/<pid> give access to process info 


Capturing the program file is as simple as 
copying /proc/<pid>/file 


Capturing process memory requires more work 
because the memory map has holesinit + 


Capturing Network Information 


¢ All local network states 
— netstat 
— route 
— arp 
— Kernel info 
— Logfiles 
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Remote Network Information 


Speed is important 

Router flow logs 

Portmasters , dialup equipment 

Sniffer, tcpdump 

Server information 

— DNS, NES, NIS, mail, syslog, WWW, news 
Information gathered for this host 
Telcos 

ISPs 

FIRST/CERTs 


Watching a Process in Action 


¢ Use standard debugging hooks to intercept and log 
— System calls (tapping the user-kernel interface) 
— Library calls (tapping the application -library interface) 
— Individual application routines (requires program file) 
— Individual machine instructions 


¢ Run-time tracing can generate large amount of data 


¢ Run-time tracing can impact performance 
noticeably 


Watching System Calls 


¢ User-kernel interface does not show what 
happens inside the application or inside 
library routines 


¢ All information must enter or leave the 
program via a system call, input, output, 
network, file or terminal 


Many system-specific tools 
— trace (SunOS 4) 

— truss (Solaris 2) 

— ktrace (*BSD) 


Watching a Process in Action 


¢ Tracing a process at the machine instruction level 
generates enormous amounts of information. 
— Tracing process manipulates the traced process via 
operating-system debugger hooks. 


— Passing control back and forth between the traced 
process and the tracing process after each machine 
instruction slows down execution 


— Every file access, every network access, every 
interaction with the world requires a system call to 
request assistance from the operating system. 
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Watching System Calls 


Watching system calls is better than 
watching machine instructions 

— System calls happen at much lower frequency 
— Causes less slowdown of execution 

— Produces less information 


Information about system calls 
— Have better signal to noise ratio 


— Suitable for filtering on the function call name 
or on function call arguments 562 


System Call Tracing 


Ch4 
[SS 
12345 '¢ T Local Clear Text 


Encrypted Text in Network 


Observer strace |; > che 


# strace -p 12345 
ff and its child processes 
-¢ trace=read,write show everything read from Ch 6 
-e read=6 show everything written to Ch 4 
NOS look at read/write calls only 


watch process 12345 
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Host Based Tracing Hiding a Process from Observation 


* Itrace * Cannot use lots of CPU, memory or I/O resources 
— ftp://ftp.debian.org/debian/dists/unstable/main/source/utils/ 


— Log every library routine call (output like strace) ¢ Modified DS, lsof top applications or library 
— Portable to LINUX routines 

atcher 
p://coast.cs.purdue.edu/pub/tools/unix/ttywatcher/ 
— Real-time monitoring 
— Portable to SUNs 


— Can be sufficient when process listing applications 
must be installed as privileged commands. 


* Modified kernel: crude implementations of 
* tap loadable kernel modules 


— ftp://coast.cs.purdue.edu/pub/tools/unix/tap/ — Hides a process even from the most privileged users. 
— Hook into streams -based tty systems. 


— http:/Ahc.pimmel.com/ 
— Portable to SUNs 
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Hiding a Process from Observation A Forensic Case Example 


Application 


User Level Investigating a suspected intrusion 
Library 


Hardware * Priorities: 
f — Gatheri id f the break-i 
Standard B2+ security feature (covert channels) Re Ee Ee ee tat eee 
, a k — Prevent or contain the damages 
Spying on an intruder without being seen — Restore the integrity of the system 
Hiding a password sniffer process 


Other forms of surveillance 


When Faced with a Situation Leave the System On / Off ? 
¢ Secure and isolate Leave the system running 
¢ Record the scene — Catching the intruder red-handed 


: : — Preserving evidence on live connections and RAM 
* Conduct a systematic search for evidence i 


— Danger of losing or overwriting evidence during 


* Collect and package evidence investigation 


¢ Maintain chain of custody 


Disconnect and reboot the system 
— Contain the damage 
— Danger of destroying more evidence 
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Help the Investigator 


¢ Ask all non-essential users to log off 
— To facilitate investigation 
— To reduce noise interference 
— To prevent malicious code from spreading 


¢ Offer use of system administrator account 


— To enable investigator freedom of access for 
purpose of investigation and gathering evidence 


Check Who is On 


Your administrator login 


# /bin/who 
root console Mar 6 16:00 
rewt pts/26 Mar 6 15:45 (174-16-52.world.com) 


Suspected intruder since 


all other users have log off Source of intruder ’s remote access 


Check Intruder Logins 


Intruder still online 


# /bin/last rewt 
rewt pts/26 174-16-52.world.com Sat Mar6 15:45 © still logged in 
rewt pts/S 214-72-229.world.com Sat Mar6 00:13-00:27 (00:13) 


Document the Investigation 


Open a log file to keep a complete 
record of all investigation activities 


# /bin/script evidence 

Script started, file is evidence 
# date 

Sat Mar 6 20:03:34 1999 


Type exit to close log on completion 


Check Recent TCP/IP Connections 


Indications of Telnet connections from world.com to forensic -science.com 


# /bin/netstat—a 
cases. forensic-science.com.telnet 174-1 6-52.world.com.1711 8235 
0 64260 0 ESTABLISHED 


Confirms remote connection based 
on who and netstat results 


Determine Intruder Activities 


List all intruder’s processes 


Processes with start time > 24 hrs 


# /bin/ps -auxwww | grep rewt 
UID PID PPID C STIME TTY TIMECMD 
rewt 2198 2191 0 Mar6 2 378:50 rsh www.corpus-delicit.com 
exec/temp/.invisible/destroy 
2186 1993 Mar 6 Hi 295:31 sniffer 
4094 3155 16:02:14 0:00 grep rewt 
1993 1946 15:46:57 pts/24 0:01 -csh 


Possibly a destruction program running on remote 
machine www.corus-delicit.comusing remote shell e718 
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Contain the Damage 


Stop the intruder’s processes 


# /bin/kill—9 2198 
# /bin/kill—9 2186 
# /bin/kill—9 1993 


PID of processes 
executed by rwet 


Trace the Log 


Intruder exploited buffer overflow to log in 


# /bin/more syslog 

AEAH “E48 “E4H “EAH “E4H “EH “EAH “EAH 4E4H 
ABAH ABA ABAH AEAH ABAH AEAH ABAH AEAH AB 
AEH H “EH “EH “EH “EAH “EAH AEH AEA 
AEH(Mar 5 23:43:13 cases.forensic-science.com “EAH 
AEH 4EAH “EH “EH “EAH 


Overflow data from a file 


Determine Intruder Activities 


Recall on the intruder’s processes 


# /bin/ps -auxwww | greprewt 
UID PID PPID C STIME' TTY TIME CMD 
rewt 2198 2191 0 Mar6 ad 378:50 rsh www.corpus-delicitcom 
exec/temp/.invisible/destroy 
2186 1993 Mar 6 2 295:31 sniffer 
4094 3155 16:02:14 0:00 grep rewt 
1993 1946 15:46:57 pts/24 0:01 -esh 


Look for this program 
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Trace the Log 


#/bin/more syslog 

Mar 5 23:43:13 cases.forensic-science.com mountd[513]: 
Unauthorized access by NFS cilent 174-16-65.world.com 

Mar 5 23:43:13 cases.forensic-science.com syslogd: 
Cannot glue message parts together 

Mar 5 23:43:13 cases.forensic-science.com mountd[513]: 
Blocked attempt of 174-16-65.world.com to mount 


Intruder gained access through 
a vulnerable version of mountd 
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Trace the Log 


File containing buffer overflow data 


#/bin/more syslog 
Mar 5 23:46:54 cases.forensic-science.com PAM_pwdb[3122]: (login) 
session opened by user doomed by (uid=0) 


Mar 5 23:46:54 cases.forensic-science.com login[3122]: LOGIN ON 
ttyp0 BY crakO FROM 174-16-65.world.com 


Mar 5 23:50:03 cases.forensic-science.com PAM_pwdb[3130]: (su) 
session opened for userrewt by doomed (uid-0) 


Switching to a newly created account with root access 


Directory Missing 


#/bin/cd /tmp 
#/bin/Is -altc 
drwx-------- 2root root 512 Mar6Jan115:33 / 
drwx-------- 8root root 512 Jan1 15:33 all 


/tmp/.hidden not found 
ls command may have been replaced with a 
modified version that does not list the hidden 
directory /tmp/ invisible 
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How to Hide a Directory 


Install the rootkit as follows 


mkdir .invisible 

mv rootkitkit .tar.gz .invisible 
cd .invisible 

tar zvf rootkit .tar.gz 

Is 

cd rootkit 

install 

exit 


List All Subdirectories 


Surely enough, the version 
of Js has been modified 


# /bin/du 
10273 ./.invisible 
10273 


The originally 
hidden subdirectory 


Follow Up 


Terminate the script logging the investigation 
by typing exit 

Print all evidence and sign on each page 

Copy evidence to disk using tar (instead of cp) 
to preserve timestamps and file attributes 
Create message digest for each digital 
evidence 


RedHat Package Manager (RPM) 


The RPM provides a convenient way to 
determine if common system files like /s have 
been modified 


The command rpm —Va verifies all of the 
important files on the system 


This method is not failsafe 


— A sophisticated intruder can also modify the RPM 
database to hide changes made to the system 
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Examine Intruder Activities 


Hidden subdirectory 


#/bin/cd /tmp/.invisible 
# /bin/Is —altc 
-TW-r-E-- rewt 3925716 Mar 6 21:21 info3 
rewt 108133 Mar 6 16:48 info2 
rewt 1818708 Mar 6 16:03 infol 


rewt 4414846 Mar 6 15:54 destroy 


-TW-T-1-- 
-TW-r-1-- 
-TW-T-1- 


rewt 512 Mar 6 00:20 
root 7168 Jan 1 15:33 


drwxr-xr-x 


1 
1 
1 
1 
drwxr-xrx 2 rewt 512 Mar 6 00:22 sniffer 
3 
3 


drwxr-xr-x 


Follow Up 


Duplicate evidence for safekeeping and 
further investigation 

Reboot the system 

Make a bitstream copy of the hard drive 
Examine router log files 


— Log files will reveal trial and error entries of 
intruder attempting to gain access 


Reformat disk, reinstall OS 
Issue new passwords to all users 
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Post-Mortem 


¢ Intruder had 


— Exploited common vulnerability to intrude into 
system 


— Obtained access from a dial-up account at 
world.com 


— Modified the system using a rootkit 
— Created a hidden directory by modifying Is 
— Hide tools in hidden directory 


‘This slide is intentionally left blank 


‘This slide is intentionally left blank 


This slide is intentionally left blank 


This slide is intentionally left blank 


This slide is intentionally left blank 
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Section 12 


Forensics on 
Wireless Network 


Wireless Network Analysis 


Time is of the essence when collecting data. It 
is important to build relationships and 
procedures with wireless operator personnel so 
that when a situation arises, time will not be 
lost. 


The list on www.infobin .org has the names of 
ISPs and contacts at their legal departments for 
services of court orders and search warrants. 
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Wireless Network Analysis 


The ability to quickly track a subscriber 
location during the course of a phone call is 
possible but requires personnel familiar with 
the network operator’s equipment. 


Procedures should be in place at the operator 
to aid in rapidly expediting the investigation. 


Procedures should also be in place for law 
enforcement so that they know who to call for 
emergency assistance. 509 


Wireless Network Analysis 


The ubiquitous nature and increasing 
complexity of wireless networks raises a 
host of criminal and legal issues. 


Of concern is how law enforcement can 
locate and process wireless network digital 
evidence and ensure that it is legally 
admissible. 


Wireless Network Analysis 


Generally, the most complex parts of the 
process are 


— Law enforcement having to find the right 
people to talk to at the wireless network 
operator. 


— The system analyst receiving authorization to 
track a phone call. 


Circuit Switched Wireless Network 


The 3 most popular digital circuit switched 
wireless technology 


— GSM 
¢ Global System for Mobile Communications, TDMA 


— IS-136/TDMA 


¢ Time Division Multiple Access 


— IS-95/CDMA 
* Code Division Multiple Access 
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Mobile Device Mobile Equipment Identity 


¢ A GSM mobile device is marked with a ¢ The 14 digits IMEI contains the 
unique International Mobile Equipment — Type Approval Code (TAC) 
Identity (MEI) numbers. * 6 digits 
¢ Issued by the certification body to the manufacture 
¢ JS-136 and IS-95 mobile devices are — Final Assembly Code (FAC) 


marked with a unique ESN (Electronic + 2digits 


: ¢ Issued by the manufacture for this particular 
Serial Number). squipiaent ives 


¢ The IMEI or the ESN can be found printed era 


7 * 6 digits 
on the back of the mobile device. 601 = ‘Tiss Srannneachiver’ éudigue srodaghomnunibee, | ® 


Mobile Equipment Identity Mobile Equipment Identity 


* The IMEI can be interrogated with the key The IMEI can usually be found in the 
combination *#06#. EEPROM memory. 


A 1-digit Check Digit (CD) is calculated There are many tools available for _ 

from the 14 IMEI digits and is not sent modifying the IMEI. This may provide 

within the GSM network. problems when tracing and furnishing proof 
on the use of the mobile device. 


SIM Card SIM Card 


In GSM, the Subscriber Information The phone number is called the Mobile 
Module (SIM) contains data such as Subscriber ISDN. 


— The subscriber’ s phone number The International Mobile Subscriber 
Sis aes Identity (MSI) is globally unique to a 
— The subscriber identit b : : oo, 
iaecamanbes amet particular subscriber. The 15 digits IMSI 
can indicate the subscriber’s country and 
wireless network operator. 


— The subscriber’s PIN number 


— Authentication keys 
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SIM Card 


¢ A Temporary Mobile Subscriber Identity 
(TMSI) can also be stored on the SIM card 
to avoid revealing the IMSI number. 


IS-136 and IS-95 mobile device do not use 
a SIM card. The phone number or Mobile 
Identification Number (MIN), the IMSI, 
PIN number and authentication keys reside 
on the mobile device itself. 


SIM Card 


This blockade can be lifted with a PUK (Pin 
Unblocking Key). 


— A PUK is entered together with a newly chosen 
PIN. 

— The number of attempts at entering a PUK is 
limited to 10. 

— In many countries, PUKs can be obtained from 
the subscriber’ s network provider. 


GSM Memory 


¢ It is also possible to retrieve supplementary data 


through the direct reading of the EEPROM or 


FLASH memory contained in the GSM device. 


* To do this, the memory is removed and read 
with a universal programming device. 


¢ The decoding process amounts to looking at the 
memory dump in a hexadecimal viewer such as 


the Hex-Workshop (www.hexworkshop.com). 


611 


SIM Card 


¢ Data in a SIM is protected with a PIN. 


— The number of attempts at entering a PIN is 
limited to 3. 

— If none of the attempts is successful, access to 
the protected data is blocked. 


Extraction of SIM Data 


¢ Cards4Labs (www.forensischinstituut.nl) is 
modular program for reading smart cards 
via PC/SC compatible smart card readers. 


For reading SIM data, the PUK can be 
requested from the network provider with 
relevant authorization. 


This PUK, when entered with a PIN of 
choice, allows access and decoding of files, 


including data that have been erased. ei 


Back Door 


Many systems have a back-door 
deliberately built in to circumvent security. 


The reserve password may be found in the 
technical documentation. 


¢ For some GSM, service sets used by repair 
departments can be used to retrieve or 
circumvent these device passwords. 
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Mobile Switching Center Mobile Switching Center 


¢ The MSC is the nerve center of the circuit ¢ The MSC interconnects calls from its own 
switched network. network area to other fixed line network, a 


data network, or another wireless network. 
¢ The MSC performs call setups and maps out 


the path of a call between the originating ¢ Billing information in the CDR (Call Detail 
and destination points. Record or Charging Detail Record) is also 


derived from the MSC. 
¢ The MSC switches calls between Location 


Areas and between other MSCs . 


Home Location Registry Visitor Location Registry 


¢ The HLR contains subscriber information ¢ The VLR contains the subscriber 
such as who pays the bill, their billing information of all users active in a particular 
address, their phone number, the services MSC’s network. 
that they are allowed to use. 


The HLP will always know the location of When a subscriber roams into anew MSC 
the mobile device as it may need to route area, the VLR will request information from 
call to the mobile device. the subscriber's HLR and create a record for 


Ciphering keys for a particular subscriber esther 


are also held in the HLR. 
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Visitor Location Registry Equipment Identity Registry 


At the same time, the HLR will create a In GSM, the EIR contains a list of IMEI 
record showing the name of the VLR to numbers that the operator has registered. The 
which a subscriber is presently associated. EIR can be used to blacklist stolen mobile 


¢ When the subscriber moves out of an devices to prevent further abuse. 


MSC’s area, the record in the MSC’s VLR 

is created and the HLR is notified. IMEIs are categorized as 
— White: authorized mobile devices 
— Black: unauthorized/reported stolen mobile devices 
— Gray: malfunctioning mobile devices. 
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Operational and Maintenance Center Turning on a Mobile Device 


¢ The OMC provides a view of the 
operational status of the network, network 
activity and alarms. 


¢ Switching on a mobile device causes the 
device to register with the network and 
inform the network of its Location Area. 


* The OMC can be used to ¢ The mobile device may also be requested to 
— collect traffic information from the network perform a location update every so many 


— examine a particular mobile call in progress minutes to identify its location within the 
(mobile trace) network. 


Turning on a Mobile Device A Mobile Device in Idle State 


¢ The MSC for the area informs its VLR as to 
the Location Area the mobile device has 
reported its presence and inform the 
subscriber’s HLR accordingly. 


¢ Ina listening state, the mobile device may 
be asked to perform a Location Area 
update. 


¢ Information from the subscriber's HLR will 
also be updated with the VLR name with 
which the subscriber is now registered. 


¢ This allows the network to identify the 
Location Area in which the subscriber 
resides. 


Roaming with a Mobile Device Connecting A Call 


* With the information exchange on the ¢ When placing or receiving a call witha 
Location Area, the subscriber’s home 


; : mobile device, the network knows which 
network will know the wireless network cell sector to which the subscriber is 
operator and MSC/VLR where the 

oe shee : : ; connected. 
subscriber is roaming, either in 


— The home network This particular location information is 

— Another network transient (possibly 72 hours or less) as 

— A network in another country compared to the information such as the 
calling party and called party, which can be 
found in most billing records. = 
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Areas of Digital Evidence 


Areas useful for forensics on wireless 
network: 


— Equipment connected to the mobile device 
— The mobile device itself 
— The wireless network 


— The subsequent network that the caller accesses 


Equipment on the Mobile Device 


¢ A laptop enabled by a mobile device may 
have been connected to a Ethernet or 
wireless (802.11) network. 


If a mobile device has then been used to 
dial-up to another network, then the laptop 
may contain useful data (time, numbers 
dialed, session logs). 


The Mobile Device 


The phone lists within the mobile device 
may contain: received call phone numbers, 
dialed phone numbers and missed phone 
numbers stamped with a data and time. 


Do not assume that the date and time are 
accurate on a mobile device. The subscriber 
may not have taken care to set the time 
exactly. 


Equipment on the Mobile Device 


¢ Criminal activity involving wireless 
networks can involve a laptop connected to 
a mobile device. 


¢ Data that may prove useful to an 
investigation may reside on the laptop or 
network. 


The Mobile Device 


¢ Many mobile devices have some sort of 


PIM (Personal Information Manager) built 
into the device that may yield useful 
information. 


The mobile device memory (and the SIM 
card) may contain critical information. 


The Mobile Device 


Most mobile devices have the capability to 
store names and phone numbers for a 
subscriber to dial. 


This information may also yield valuable 
information, such as names and numbers of 
people the subscriber communicates with 
regularly. 
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The Mobile Device The Mobile Device 


¢ The mobile device memory (and the SIM card) ¢ The mobile device may also hold voicemail 
can also hold other data of interest: number, voicemail PIN, numbers stored on 


aiseataiareanion speed dial and calling card information. 


eco ANS ee ¢ SMS messages of interest may still be 
— Ciphering keys 


MSI resident on the mobile device or SIM card. 


— MSISDN (phone number) for subscriber identification The inbox stores incoming SMS messages, 
: vas while the outbox or sent lists contain 
— Correlation to billing record 


— Location where the mobile device was last used. previously sent SMS ee 
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The Mobile Device The Wireless Network 


¢ Mobile devices may also use PIN numbers ¢ The MSC can be rich with digital evidence. 
that may hamper access to data resident in 


the mobile device. ¢ Billing records can contain the caller’s 


number, receiving party number, time when 


¢ When seizing mobile device, losing power, the call was placed, and duration of call. 


running out of battery power, or removing 


i ee ue rr the irretrievable ¢ Billing records may also note how and 


when payment was executed. 


The Wireless Network The Wireless Network 


¢ The HLR contains subscriber ¢ SMS messages may be kept for a varying 
information that can be matched to a period of time at the SM -SC (Short 
phone number. Message Service Center) 


— It is important to know that not all GSM — Messages for a particular subscriber may be 
network operators use EIRs. waiting here, ready to be forwarded. 


— These waiting unclaimed messages could be 
valuable for the investigator. 
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The Wireless Network 


¢ The OMC and the signaling links can 
provide data in real time regarding the 
activities of a subscriber. 


¢ Due to the extensive capabilities of the 
OMC, user activities of network operator 
personnel should be logged. These logs 
may also be useful. 


The Subsequent Network 


The caller may use a mobile device to 
accessed a subsequent network. 


If one network hands off to the other 
network, a record will be kept. This can be 
useful for determining a suspect’s activity 
near a border between countries roaming. 


However, the MSC may be in a different 
country and information from the foreign 
operator may not be readily available. 


Concerns with Encryption 


Wiretapping at the MSC is the easiest 
method to obtain unencrypted information. 


Cipher keys and authentication values used 
by mobile devices to encrypt 
communications are passed in clear text 
between MSCs . 


The Wireless Network 


¢ The elements in the core network interface 


with each other via the SS7 (Signaling 
System #7) protocol. 


¢ Logging SS7 data can yield information 


regarding mobile location or evidence 


indicating wireless subscriber fraud such 
as cloning. 


Concerns with Encryption 


¢ Most wireless technology standards 


emphasize security of the radio link but do 
not provide for real security on the core 
network where communications and 
signaling takes place. 


Information is not encrypted after the BTS 
(Base Transceiver Station). Easier to 
wiretap the non-radio links at the MSC 
rather than the radio link itself. 


Records kept in the MSC 


¢ The MSC is the heart of the network. 


— It stores everything internally in memory and 
releases these data as input to other functions 
in the switch. 


* Records collected by the switch pertain to 


— Billing 

— Fraud management 
— Security 

— Network operations 
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Billing 


Billing records are usually kept in a 
database for use by customer service. 


Billing data are typically archived for a long 
term, such as 7 years for both legal reasons 
and to monitor customer behavior over 
time. 


Fraud management 


The fraud management system analyzes the 
CDR for unusual and abnormal patterns. 


The fraud management system will note when 


a subscriber breaks this pattern and if this 


unusual activity continues for a period of time. 


The network operator may then call the 
subscriber to ensure that the mobile device is 
under the subscriber’s control. 


645 


Wiretapping 


When the subscriber’s mobile device makes 
acall or receives a call, 


— The operator’s switch will break out a second 
line for the call 


— The second line is then passed over a secure 
connection to the law enforcement personnel 
concerned. 


Billing 


¢ The anchor switch which routes a call from 
a mobile device is tasked for 


— Generating its own CDR (Charging Details 
Records) 


— Collecting CDR from other switches through 
which the call passes 


Wiretapping 


A judge may issue a court order demanding 
that a particular phone number of a 
suspect’s mobile device be wiretapped. 


The security department at the network 
operator can then authorizes a wiretap to be 
performed by its technical personnel. 


Network Operation Data 


Network operation details can quickly take 
up massive amounts of storage space. 


Records are soon aggregated into smaller 
summary files to save storage space, and to 
focus operator personnel on higher priority 
issues e.g. dropped calls. 
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Network Operation Data 


A phone call can pinpoint (down to the cell 
site) where the call was made from. 


However, after the operational network data 
are summarized, only the switch name 
associated with the call will be available. 


Location-Based Services 


Using position determining equipment, a 
mobile can also be ‘pinged’, thus 


— Forcing the mobile to re-register with the 
network 


— Provide signals for the position determining 
equipment to home in and fix a location 


Wireless LAN Technology 


Specifications Speed Frequency Techniques 


802.11 


802.11 


<2Mbps 2.4GHz _ Freq Hopping Spread Spectrum 
Direct Seq Spread Spectrum 


Infrared 


a <54 Mbps 5 GHz Orthogonal Freq Div Multiplex 


802.11b <11 Mbps 2.4GHz Direct Seq Spread Spectrum 


Location Based Services 


¢ Various types of position determining 
equipment (PDE) technologies exist to 
calculate the location of a subscriber down. 


Using these technologies, a wireless 
operator can provide to its subscribers 
location based services. 


— For instance, a message or advertisement could 
be sent to the subscriber’s mobile device about 
local attractions or services. 
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Location-Based Services 


Position determining technologies can also 
enable an operator to provide emergency 
services. 


When an emergency call is placed, the 
operator may be able to locate the position 
of the subscriber. 


Wireless LAN Analysis 


Areas useful for forensics on wireless LAN: 


— Equipment connected to the mobile device 
— The mobile device itself 
— The wireless network 


— The subsequent network that the caller accesses 
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Equipment on the Mobile Device 


¢ A laptop connection enabled by a WLAN 
card may be connected to an 802.11 
network. Software in the PC may contain 
useful data of network activity. 


The network to which a WLAN user is 
connected to may also contain session logs 
of the user’s activity within the network. 


The Wireless Network 


Access Point on the wireless network logs 
associations based on the MAC address. 
Most Access Points allow administrator to 
configure an access list based on MAC 
address. 


The Dynamic Host Configuration Protocol 
(DHCP) server then issues IP addresses to 
the WLAN users. 


The Wireless Network 


Access Points should have the ability to 
support encryption using Wired Equivalent 
Privacy (WEP). 


Even when the WEP is enabled, the 
Network and MAC information always 
passed in clear-text. 


The Mobile Device 


¢ Like the Network Interface Card on the 


Ethernet, the WLAN card has a fixed Media 
Access Control (MAC) address that is 
unique to the WLAN card and can also be 
used to identify the card’s vendor. 


The MAC address of the WLAN card can 
provide a form of identification of the 
mobile device used in the wireless 
connection. 


The Wireless Network 


An intruder can jump in and join a network 
for which he does not have permission to 
join by using a probing mechanism. 


Such probing mechanism permits a 
broadcast request to gather Access Point 
information and then carry out an auto-join 
function into the network. 


The Subsequent Network 


The subsequent network may contain 
session logs of the user’s activity within the 
network. 


Digital evidence in this area can be 
extremely difficult to access, particularly if 
the evidence is in another country. 





110 


THIS PAGE INTENTIONALLY LEFT BLANK 


172 


APPENDIX F: HANDOUTS FOR LABORATORY EXERCISES 


The following pages, 1 — 16, are the handouts for the laboratory exercises. 
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Forward 


This set of laboratory exercises is specially designed to illustrate the computer forensic concepts 
being taught in class. By performing the exercises, it will help you to understand and internalize 
the key concepts. In these exercises, you will barn to use operating system tools and rootkits to 
extract useful digital evidence as well as lay your hands on professional computer forensic 


software and freeware. 


The intention of this laboratory manual is not to spoon-feed you with step-by-step instructions on 
how to conduct a forensic examination. Rather, you will be expected to actively search for the 
relevant information, user instructions and downloads, in carrying out your exercises. This is to 
build up your resourcefulness and creativity towards tackling future forensic examinations. 
Pertinent technical guidance will accompany each of these exercises in order to help you get 


started. 


Do not attempt to copy from the forensic examination of other project groups, as each group will 


be issued with subject evidence with subtle differences among them. 


Maximize the use of the technical resources available in the laboratory and make this an 


enjoyable learning experience. Good luck. 


Contents 

Laboratory Exercise 1: Foundstone Forensic Toolkit...............cccsccsccssccsccsscccscesscesed 
Laboratory Exercise 2: EnCase (Guidance Software)...........sccscsssccsccscccsscssccsscessceeed 

Laboratory Exercise 3: AccessData Forensic ToolkKit..............ccccsccccscccccscccsscsccsssssned 
Laboratory Exercise 4: Windows Event Log Amallysis..............scssccsscsscccsccsscsscsssscoe LO 
Laboratory Exercise 5: DumpEvt (SomarSoft)..............sccscccscccsccccsccesscccscccsscesscsel 

Laboratory Exercise 6: Unix Log AnallySis..............ccccccsscccccsccccssssecsccccsccessccsssssse ld 


Laboratory Exercise 7: Network Analysis............ccsccccssccssccccscccccsscccsscccccscsssscscee lO 


Laboratory Exercise 1: Foundstone Forensic Toolkit 


Introduction 


The Foundstone Forensic Toolkit contains several Win32 command line tools to help examine 
files on a NTFS disk partition for unauthorized activity. Some of these open source tools include 


AFind lists files by their last access time without tampering the data the way that nght- 
clicking on file properties in Windows Explorer will. AFind allows you to search for access 
times between certain time frames, coordinating this with other logon information, you can 
determine user activity even if file logging has not been enabled. 


HFind scans the disk for hidden files. It will find files that have either the hidden attribute 
set, or NT's unique and painful way of hiding things by using the directory/system attribute 
combination. This is the method that Internet Explorer uses to hide data. HFind lists the last 
access times. 


SFind scans the disk for hidden data streams and lists the last access times. 


FileStat is a quick dump of all file and security attributes. It works on only one file at a time. 


Technical Guidance 


1. 


You should be able to obtain the necessary information and downloads from the 
knowledge page at www.foundstone.com to install the forensic software on your 
forensic PC. If you need specific technical assistance on the Foundstone Forensic 
Toolkit, you may contact labs@foundstone.com. The web page provides valuable 
information on the command line switches for the various embedded tools. 


You will need to first unzip the downloaded file before installation. 


You will also be issued a duplicate of the subject floppy disk you are going to 
examine. 


Open a DOS Command Prompt to run the forensic tools. You may also explore with 
the other tools in the Foundstone Forensic Toolkit that are not described above. You 
can type the name of the tools to list the command line switches that are applicable to 
them. 


Run Afind with the correct command line switch to determine files which were 
accessed within the last 2 days. 


Run Hfind with the correct command line switch to determine the last access time of 
the hidden files. 


Run Sfind with the correct command line switch to determine the last access time of 
the hidden data streams. 


You may also use FileStat to perform a quick dump of all the content and security 
attributes of the files you have examined above (one at a time) to your evidence file. 


Compare the above findings with that using the dir command in DOS. What are the 
command line switches required in dir to generate the equivalent information? 


Laboratory Exercise 2: EnCase (Guidance Software) 
Introduction 


EnCase is the industry leading computer forensic software tool used by most all computer 
forensic examiners. Award winning and court tested, EnCase software allows law enforcement 
and IT professionals to conduct a powerful, yet completely non-invasive computer forensic 
investigation. EnCase features a graphical user interface that enables examiners to easily manage 
large volumes of computer evidence and view all relevant files, including "deleted" files, file 
slack and unallocated data. The integrated functionality of EnCase allows the examiner to 
perform all functions of the computer forensic investigation process, from the initial 
"previewing" of a target drive, the acquisition of the evidentiary images, the search and recovery 
of the data and the final reporting of findings, all within the same application. The final reports 
and extracts generated by the built-in report feature documents the investigation results and 
integrity of the orginal data with a clear and concise chain of custody to ensure the 
authentication of the examined electronic evidence in a court of law. 


Requirements 


Installation of the forensic software 

Acquisition of evidence from the subject PC 
Creation of evidence files for forensic analysis 
Analysis of acquired evidence 

Recovery of deleted files and folders 

File signatures analysis 

Hash value analysis 

Temporal reconstruction of events 

Creation of forensic report 

0. Presentation of forensic analysis in class (20 min) 


SOO ONO et 


Technical Guidance 


1. You should be able to obtain the necessary information and downloads from 
www.encase.com to install the forensic software on your forensic PC. If you need 
specific technical assistance on EnCase, you may contact support@encase.com or 
help@encase.com, or go to the technical support web page. The web page provides 
valuable information on _ setting up, acquisition, analysis, archive, restoration, 
reporting and other technical support. 


2s You will be issued with a physical dongle in order for EnCase to run on your 
machine—a copyright protection feature. Attach the dongle onto your machine’s 
USB or parallel-port. You will also be issued with a user name and password to 
enable you to perform download from the EnCase website. 


10. 


El 


12: 


iter 


Download EnCase from the website to your Windows-based forensic PC (the 
computer used to conduct the forensic examination). Run setup.exe and _ install 
EnCase. Reboot your PC. 


Run EnCase. Goto the Tools menu to create an EnCase boot disk. The boot disk is 
used to boot up the subject PC (the computer you are going to examine). It can also 
be used to boot up your forensic PC to a safe version in DOS. 


Connect the subject PC directly to your forensic PC using either the lap-link parallel 
cable or network cross-over cable. In order to connect to the forensic PC on the 
network cable, ensure that the subject PC has a NIC supported by EnCase in the boot 
disk. You may also need to disconnect your forensic PC from the LAN if there is only 
one NIC on the machine. The list of supportable NIC can be found on 
www.encase.com/html/encase_network_boot_disk_page.htm. Otherwise, get the 
DOS packet driver for the specific NIC on the subject PC, copy and load (may require 
creating a config line in a batch file) the packet driver on the boot disk. 


Boot up the subject PC using the EnCase boot disk. Load the packet driver and launch 
EnCase for DOS. 


Boot your forensic PC into Windows, launch EnCase for Windows. You should be 
able to preview and acquire evidence on the subject PC from your forensic PC. 


Preview the subject PC. This feature is designed to allow you to pre-scan a suspected 
drive for potential evidence efficiently. As an exercise, you will not need to acquire 
the entire drive in the subject PC to your forensic PC for analysis—this will take too 
much memory, even if compressed, and too much of your time. You will just have to 
do a screen capture on a preview of the subject PC to show that you know how to 
preview and acquire evidence remotely. 


Explore the various functionalities of EnCase. 


Assuming the evidence is already captured on a floppy disk this is issued to you. 
Insert the floppy disk onto your forensic PC and acquire the evidence on the local 
disk. Create an evidence file of the subject floppy disk. 


You may also want to add external viewers (e.g. add MSWORD.EXE to for .doc files 
or OUTLOOK.EXE to for email messages) to EnCase to help view the data stream in 
the files more easily. 


Print out your certification of completion. Hint: It is a file attachment within another 
file that has been deleted in a hidden folder. Note the original file type may have been 
changed. 


Proceed to analyze and document your findings on the evidence file into a report. 
Perform the relevant steps to fulfill the laboratory requirement stated above. 


14. Summarize your forensic investigation and make a presentation of your case in a 
legally convincing manner in class. 


Laboratory Exercise 3: AccessData Forensic Toolkit 


The AccessData Forensic Toolkit (FTK) is a_ handy utility for computer crimes 
investigators. FTK offers users a complete suite of technologies needed when _ performing 
forensic examinations of computer systems. Its full text indexing offers quick advanced 
searching capabilities. Its deleted file recovery and file slack analysis are commendable. FTK is 
also interoperable with AccessData's password recovery and encryption file identification 
programs. In addition, the FITK incorporates Stellent's Outside In Viewer Technology to access 
over 255 different file formats. The Known File Filter (KFF) feature can be used to automatically 
pull out benign files that are known not to contain any potential evidence and flags known 
problem files for the investigator to immediately examine. FTK can also support evidence files 
acquired by EnCase, Snapback, SafeBack and Linux DD. 


Requirements 


1. Installation of the forensic software 

2; Acquisition of evidence from the subject floppy disk 

3. Creation of evidence files for forensic analysis 

4, Analysis of acquired evidence 

Ds Recovery of deleted files and folders 

6. File signatures analysis 

Ts Export of recovered deleted files and attachments 

8. Creation of forensic report 

9. Presentation of forensic analysis in class (20 min) 
Technical Guidance 

1. You should be able to obtain the necessary information and downloads from 


www.accessdata.com to install the forensic software on your forensic PC (the 
evaluation version is adequate for this laboratory exercise). If you need specific 
technical assistance on the AccessData Forensic Toolkit, you may obtain online 
support from its web page. 


oe You will need to first unzip the downloaded file before installation. 


3: You will also be issued a duplicate of the subject floppy disk you are going to 
examine, assuming the evidence is already captured on a floppy disk. 


4. Insert the floppy disk onto your forensic PC and acquire the evidence on the local 
disk. Create a new case. Adopt the default case log options, processes, case 


refinements and index. Add evidence and select the local drive of the floppy. 


2: Explore the various functionalities of FTK. 


Recover and export your certification of completion. Print the certificate using the 
original Microsoft Office application. Hint: You may use the impressive advanced 
searching capabilities of FTK with the keyword ‘certificate’. 


Proceed to analyze and document your findings on the evidence file into a report. 
Perform the relevant steps to fulfill the laboratory requirement stated above. 


Summarize your forensic investigation and make a presentation of your case in a 
legally convincing manner in class. 


Laboratory Exercise 4: Windows Event Log Analysis 
Introduction 


Microsoft WinNT/2K can be configured to log events in binary files, namely the 
a. System events in SysEvent.evt. The system log includes events in the system’s 
operation such as a failed or successful driver startup, an application crash or errors 
associated with data lost. 


b. Application events in AppEvent.evt. The application log is for events recorded by 
applications. 
C: Security events in SecEvent.evt. The security log contains information such as logon 


and logoff events, file manipulation, and other resource access events. 


Window NT/2K event log stores the descriptive messages in the registry and the separate 
executables (.exec) or dynamic link library (.dll) files. The Event Viewer combines and displays 
the information in these files, providing a convenient way to view the data. Consequently, 
copying event log (vt) files from one system to another for examination may result in 
misinterpretation when viewing event logs on a remote system. The Event Viewers will read the 
event record data from the remote log files, but will search the registry of the local system for the 
corresponding event message files. Unless the forensic PC have similar configuration to the 
imaged system, it may be necessary to extract all the registry keys and event message files from 
the image. By viewing the extracted logs using the Event Viewer, it is possible to create a short 
list of missing event message files and configure them in the forensic PC accordingly. Otherwise, 
the Event Viewer will not display explanatory material for any event for which there is no 
associated event message file. 


Requirements 


You are the System Administrator of a computer laboratory. It was reported to you that there was 
an intrusion originating from a Windows NT/2K machine in the laboratory. You are to examine 
the event logs on that machine with minimal disturbance to the logs that are continuously 
running on the machine. As such, you decide to extract the event logs and examine them using 
the Event Viewer on your forensic PC. Trace the security breaches recorded in the event log. 


Technical Guidance 


1. Extract the event logs and registry keys from the subject PC 
a. Copy the event log (.evt) files from C'\\WINNT\system32\config 
b. Run regedit 
C: Select 
HKEY_LOCAL_MACHINE\MSYSTEMCurrentControlSet\Services\Eventlog 
d. Select menu Registry>Export Registry Files 


2: Disable the current event logging on the forensic PC 
a. Right click My Computer on the desktop and select Manage 
b. Open Services and Applications\Services\Event Log 
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Select and apply Disabled under Startup Type 

This is necessary because when the event logging service does not shut down 
cleanly, the Windows Service Control Manager does not reset several bit 
values that indicate the files is open and thus cannot be accessed. The Event 
Viewer will report that the file is corrupted and will refuse to open it. 
However, the log is rarely corrupted in reality. 

Reboot the PC to apply the selected setting 

Right click My Computer on the desktop and select Manage 

Open Services and Applications\Services\Event Log 

Check that the event log is not started 

Rename the event log (.evt) files in C-\WINNT\system32\config 


Load the extracted event logs and registry keys onto the forensic PC 


> wm moeaogep 


Copy the extracted event log (.evt) files into CAWINN7T\system32\config 

Right click My Computer on the desktop and select Manage 

Open Services and Applications\Services\Event Log 

Select and apply Manual under Startup Type 

Start the event log services 

Run regedit 

Select 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog 
Select menu Registry>Import Registry Files 


Load the event message files onto the forensic PC 


a. 


Examine the data portion of each sub-key for EventMessageFile to reveal the 
path and file name of the file the Event Viewer uses to display explanatory 
text for each event. Since this is a tedious process, this exercise will be limited 
to the Security sub-keys only. 

Extract these required executables (.exe) or dynamic link library (dll) files 
from the subject PC and load them onto the forensic PC. 

Double click on the EventMessageFile to edit the path and file name of the 
registry (reg) files such that it points to the location of the appropriate 
extracted files on the forensic PC. 


Analyze the extracted event logs on the forensic PC 


a. 
b. 
ce 


Right click My Computer on the desktop and select Manage 

Select Services and Applications\System Tools\Event Viewer 

This will display the logs from the subject PC, but will add new events to the 
log files stamped with the current date and time. You may minimize such 
contamination by immediately generate new copies of the event logs using the 
Event Viewer’s Save As command. 

If you saved the event log with another file name, you may open the event log 
file using the Action\Open Log File menu option with the Log Type set to the 
corresponding type. 
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Laboratory Exercise 5: DumpEvt (SomarSoft) 
Introduction 


It was evident from the previous exercise, the clumsiness of performing manual Windows event 
log analysis on a remote forensic PC. Moreover displaying the logs using the Event Viewer is 
not very conducive for analysis since the Event Viewer is not integrated with other data 
processing tools. Even Microsoft recommends using the SomarSoft’s DumpEvt utility to dump 
contents of the event log into other formats suitable for spreadsheets and databases. Besides, 
performing separate log analysis on individual machines in a networked environment does not 
readily link a related event across multiple machines. Rather, importing the contents of multiple 
machines’ log files into a spreadsheet makes it easier to sort events chronologically and search 
the logs simultaneously. 


SomarSoft's DumpEvt is a Windows NT program designed to dump the event log in a format 
suitable for importing into a database. It is similar to the DUMPEL utility in the NT resource kit, 
but without some of the limitations. DumpEvt has also been updated to allow dumping of 
Windows 2000 event logs containing DNS, File Replication and Directory Service. 


Requirements 


You are to investigate an intrusion originating from a Windows NT/2K machine in the network. 
In particular, it was reported hat an intruder has remotely installed a Trojan client from machine 
A onto machine B on the same network. You are to install and use DumpEvt to examine the 
event logs on these machines to trace the security breaches recorded in their event log. 


Technical Guidance 


1. You should be able to obtain the necessary information and downloads from 
www.systemtools.com/somarsoft to install the event log dump utility on your forensic 
PC. The embedded Help menu provides valuable information on_ installation, 
command line options, known bugs and limitations, and other technical support. 


De You will need to first unzip the downloaded file before installation. 


Je Use the Notepad to create a batch (.bat) file to extract the event logs from machine A 
and machine B onto the forensic PC. 


For example, the following command lines will extract the whole (all) application log 
(app) from both the subject PC (machine A, machine B), and append them to (or 
create new) an output file (c:\evidence\application_log.csv) on the forensic PC, in a 
comma-delimited spreadsheet (csv) that can be viewed on Excel. The status and error 
messages of the extraction are appended to a text file (c:\evidence\error.txt). 


dumpevt.exe /computersmachine_A /logfile=app /outfile=c:\evidence\application_log.csv /all >> c:\evidence\error.txt 
dumpevt.exe /computersmachine_B /logfile=app /outfile=c:\evidence\application_log.csv /all >> c:\evidence\error.txt 


12 


4, 


5. 


Run the batch file. 


Open the output files using a spreadsheet to facilitate your analysis. 
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Laboratory Exercise 6: Unix Log Analysis 
Introduction 


Unix serves as a wonderful training ground for computer security specialists. It teaches about 
access permissions for objects; learning about those rwx's in directory listings gives one an 
appreciation for granular security. It builds on MS-DOS knowledge: hidden files are dot files in 
Unix. They become visible by the /s-al command (similar to dir /a:h). Unix expands on MS- 
DOS piping and redirection capabilities. Searching or manipulating files and directories using 
find and sort, an investigator, for example, can search a directory for inactive files (by date) and 
pipe the results into a report file. The find command also produce a comprehensive list of files 
with the SUID/SGID permission set. Using Unix scripting capabilities (similar to DOS batch 
files), an investigator may create combinations of commands into specialized programs to 
conduct security audits and to do file checking as a part of an inquiry. The grep command 
searches files or directories that contain a particular character string. This capability provides for 
granular searching. Unix also has the capability to list processes actively running on the machine 
by executing the command ps -ef. Processes may be deleted using the kill command. The top, 
head, and tail commands allow examination of portions of logs or process lists. 


The Unix system also has a comprehensive set of system configuration files that can prove to be 
an invaluable source of information to an investigator. The /efc/syslog.conf file sets the facility 
and priority level of individual logs. Some Unix services are specifically initiated or terminated 
based upon the configuration of scripts located in the /etc/rc directories. The investigator can get 
an idea of what services are launched by understanding the Unix scripting and services. Other 
services are initiated when needed by a daemon that listens for requests. For example, the 
Internet Daemon is controlled by /etc/inetd.conf and this file provides the name of the service, 
the type of delivery, protocol, wait status, UID, server and any arguments. The /etc/passwd file 
identifies the properties of the user accounts while password hashes are commonly protected in 
the /etc/shadow files. Since UID 0 should be reserved for root only, any other shared UID 0 
would ring a bell, so is a ‘nobody’ daemon account that references a user shell. Scheduled jobs 
planted by intruders can be found in /etc/cron.d. The syslog.conf configuration file can be used 
to identify logs with unique names and locations. 


Last but no least, the Unix system has a set of standard logs, which include 


a. witmp/witmpx keeps track of login and logouts. Grows in length and is extended to 
wtmpx. This file can be referred to by the /ast command. 

b. utmp/utmpx keeps track of users currently logged into the system. This file can be 
referred using the commands w, finger and who. 

C. lastlog keeps track of each users most recent login time and records their initiating IP 
Address and terminal. 

d. sulog records the usage of the su switch user command. 

ey httpd tracks originating IP address of WWW connections. 

f. History files keeps a record of recent commands used by the user in the SHOME 
directory. 

g. FTP Logs.xfr maintains extensive logs to track incoming connections and_ the 


originating IP address of the connection. 
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maillog provides status of mail handling. 

aculog records the username, time, date and phone number of dial out facilities. 
acct/pacct maintains a list of user’s commands and their process time they used. 
Packet sniffer logs captures network IP packets. 


ao re = 


Requirements 


You are the System Administrator of a Unix network server. It was reported to you that there are 
still system activities originating from the user account C/JSR in the past 1 week, although the 
particular employee with the above account UID has already left the organization for good. 
Using the rudimentary Unix commands, system configuration files and standard system logs, 
trace the activities associated with the user account C/SR in the past 1 week. 


Technical Guidance 


1. You will need to log in the Unix system as a System Administrator with root access 
privileges in order to access the system configuration files and system logs. 


2: It will be helpful to pipe and redirect the system configuration files and standard 


system logs to temporary files before using commands such as grep, find and sort to 
search or manipulate the files and directories for records with keyword CISR. 


15 


Laboratory Exercise 7: Network Analysis 
Introduction 


Analyzer is a fully configurable network analysis program for Win32 environment. It captures 
packets from network and displays them through a graphical interface. The user can choose the 
network adapter used for the capturing and monitoring process, specify an appropriate filter, 
select, copy and paste packets. This product is developed by the Politecnico di Torino and its 
contributors. It is released under a BSD-style license and partially sponsored by Microsoft 
Research. Analyzer can display the capture files created by WinDump and tcpdump if the capture 
files have the ACP extension. 


Requirements 


You will be issued a set of ACP files with the network traffic captured by WinDump, tcpdump or 
WinPcap (www.netgroup.polito.it). You are to download and use Analyzer to examine the 
network traffic. Investigate the websites visited by the user and analyze any suspicious network 
traffic that has been recorded. 


Technical Guidance 


1. You should be able to obtain the necessary information and downloads from 
www.nheteroup.polito.it to install the forensic software on your forensic PC. The Help 
menu provides a more detailed documentation of the Analyzer. 


2. You will need to first unzip the downloaded file before installation. 


3: You will be issued a set of ACP files with the network traffic captured on a floppy 
disk. Open the files in Analyzer to perform your analysis. 


4. Explore the various functionalities of Analyzer. It allows you to describe the protocol 
format, customize the display of the packets, evaluates statistics, plots graphs, set 
query on the analysis engine and set filter at the MAC, Network, Transport or 
Application Layer. 


Dd. Although not required in this exercise, Analyzer is also capable of capturing packets 
from the network for real time monitoring and creating capture files. It uses the 
WinPcap library to capture packets and set monitoring filters on the network traffic 


monitor. 


6. Present your findings in a written report. 
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